Smart Contract / State Variable Default Visibility

Description

State Variable Default Visibility is a type of vulnerability associated with Smart Contract applications. This vulnerability occurs when a state variable is declared but its visibility is not specified, thus allowing anyone to access the state variable and change its value. It is an example of a software vulnerability classified in the CWE directory as CWE-843: Access of Uninitialized Variable. According to the OWASP Testing Guide, the vulnerability can be exploited when the application fails to properly set the default visibility of a state variable to private, thus allowing attackers to change the value of the state variable and take control of the application.

Risk

This vulnerability can lead to security issues such as unauthorized access and data manipulation, as attackers can access and change the value of the state variable. Additionally, attackers can gain access to sensitive information stored in the state variable, leading to further malicious activities. The risk associated with this vulnerability is therefore high.

Solution

To address this vulnerability, developers should ensure that all state variables have the appropriate default visibility set. This can be done by explicitly specifying the visibility of each state variable, or by setting the default visibility to private. Additionally, developers should review their code for any state variables that have been declared but not initialized properly.

Example

The following is an example of code vulnerable to State Variable Default Visibility from the CVE directory. In this code, the variable balance has been declared but no visibility has been set, thus allowing anyone to access and change the variable.

contract Account {
    uint256 public constant MAX_UINT256 = 2**256 - 1;
    uint256 balance;
    constructor() public {
        balance = MAX_UINT256;
    }
}