...by Daniel Szego
quote
"Simplicity is the ultimate sophistication."
Leonardo da Vinci

Sunday, June 17, 2018

Solidity Tips and Tricks - private variable value


Private variables from solidity are usually not so private as they are expected. Value of a private variable can be read out by someone running a full client node and having a javascript console. As an example, considering the following private variable of a contract:

contract PrivateContract {

    string private Password = "MyPassword123";

    constructor() public {
    }

By knowing the contract address and running a full node on the Ethereum network, you can easily read out the value of the private variable, like with:

 web3.eth.getStorageAt(contractAddress, 0)

which results the following hex value:

'0x4d7950617373776f72643132330000000000000000000000000000000000001a'

after encoding:

MyPassword123

So the message is simple, do not store private information in private variables on the blockchain, because it is not really private !