EVM Exploit July 19, 2017 3 min read

Default Visibility Exploit Generator

Sigvex exploit generator that validates default visibility vulnerabilities in Solidity contracts where missing visibility modifiers default to public, exposing sensitive initialization and admin functions.

evmaccess-controlexploit-generator

Default Visibility Exploit Generator

Overview

The default visibility exploit generator validates findings from the default_visibility, visibility_missing, and related detectors by classifying the type of exposed function from the finding description and producing a targeted proof of concept. This vulnerability is specific to Solidity contracts compiled with versions before 0.5.0, where omitting a visibility modifier caused functions to default to public.

Two canonical historical exploits demonstrate the impact. Rubixi (2016): A contract was renamed from DynamicPyramid to Rubixi but the constructor function name was not updated, causing the old DynamicPyramid() function to become a regular public function (Solidity 0.4.x used function-name constructors). Attackers called it to claim ownership. The Parity Wallet hack also involved an initialization function (initWallet) that was publicly accessible due to insufficient visibility controls.

Note: Exploit generation in Sigvex is for vulnerability validation purposes only.

Attack Scenario

Public initialization function:

A contract has function initOwner(address _owner) without a visibility modifier.
In Solidity 0.4.x, this defaults to public. Attackers can call it at any time.
The attacker calls initOwner(attackerAddress) after deployment.
Owner is now the attacker. All onlyOwner functions are accessible to the attacker.
The attacker calls withdraw() to drain all contract ETH.

Public destructor:

A contract has function kill() without visibility, defaulting to public.
Any address can call kill(), triggering selfdestruct(owner).
The contract is permanently destroyed and its bytecode erased.

Public admin functions:

Internal helper functions (resetOwner(), updateThreshold()) lack visibility.
Attackers call them directly to modify critical state variables.
Combined with ownership reset and threshold manipulation, full fund extraction follows.

Exploit Mechanics

The generator classifies the vulnerability type from the finding description:

Description contains	Vulnerability type	Severity
”constructor”, “init”, “setup”	`public_initialization`	Critical: anyone can become owner
”owner”, “admin”	`public_admin_function`	High: unauthorized admin access
”destroy”, “kill”	`public_destructor`	Critical: anyone can destroy contract
(other)	`unspecified_visibility`	Medium: unintended exposure

Evidence collected includes: original owner address, attacker address, contract balance, and vulnerability type. Estimated gas: 40,000.

The PoC covers four vulnerability patterns using Solidity 0.4.24 syntax:

// VULNERABLE (Solidity 0.4.x): No visibility — defaults to PUBLIC
contract VulnerableInit {
    address owner;

    function initOwner(address _owner) { // Public by default!
        owner = _owner;
    }
}

// EXPLOIT
contract InitExploit {
    function attack(VulnerableInit target) public {
        target.initOwner(address(this)); // Become owner
        target.withdraw();               // Drain funds
    }
}

Remediation

Detector: Default Visibility Detector
Remediation Guide: Default Visibility Remediation

The simplest fix is to upgrade to Solidity 0.5.0 or later, which requires explicit visibility on all functions at compile time:

// Solidity 0.5.0+: Compiler requires explicit visibility
// This fails to compile without a modifier:
// function initOwner(address _owner) { ... } // Error!

// Correct: Use internal for setup-only functions
function _initOwner(address _owner) internal { ... }

// Correct: Use private for helpers
function _computeReward() private returns (uint256) { ... }

// Correct: Use external for public API
function withdraw() external onlyOwner { ... }

For contracts that cannot be recompiled, deploy a new contract with corrected visibility. For upgradeable proxies, update the implementation to Solidity 0.5.0+.

Naming conventions help prevent accidental exposure: prefix _internal or __private functions accordingly, and use static analysis tools (Slither, Solhint) that flag missing visibility.

References

SWC-100: Function Default Visibility
SWC-118: Incorrect Constructor Name
Solidity 0.5.0 Breaking Changes
Rubixi Contract Exploit (2016)

EVM Attack Pattern

Access Control Bypass

How attackers exploit missing or improper access restrictions on critical functions — responsible for over $1.3 billion in DeFi losses including the largest hack in history.

EVM Detector

Access Control

Detects missing or improperly implemented access controls on privileged functions, allowing unauthorized callers to execute restricted operations.

EVM Exploit

Access Control Bypass Exploit Generator

Sigvex exploit generator that validates missing access control by calling privileged functions from an unauthorized address and checking for storage mutations.

EVM Exploit

Bridge Message Manipulation Exploit Generator

Sigvex exploit generator that validates cross-chain bridge vulnerabilities including message replay, cross-chain replay, and Nomad-style uninitialized state exploitation.

EVM Exploit

Centralization Risks Exploit Generator

Sigvex exploit generator that validates centralization risk findings by classifying the specific privilege type and documenting the trust assumptions and attack scenarios enabled by single-owner control.

EVM Exploit

Cross-Chain Balance Inconsistency Exploit Generator

Sigvex exploit generator that validates cross-chain bridge balance inconsistency vulnerabilities including replay attacks, non-atomic operations, weak proof verification, and finality exploits that allow token supply inflation on the destination chain.

EVM Exploit

Selfdestruct Vulnerability Exploit Generator

Sigvex exploit generator that validates selfdestruct vulnerabilities including unprotected self-destruction, library-based destruction (Parity-style), and forced ETH reception.

EVM Exploit

tx.origin Authentication Exploit Generator

Sigvex exploit generator that validates tx.origin authentication vulnerabilities by simulating a phishing scenario where an intermediary contract calls the victim with the owner's tx.origin.

EVM Exploit

Validator/Relayer Compromise Exploit Generator

Sigvex exploit generator that validates bridge validator and relayer compromise vulnerabilities including low M-of-N thresholds, key management failures, centralized relayers, and missing validator rotation — with the Ronin Bridge ($625M) as the canonical attack scenario.

EVM Remediation

Access Control Remediation

How to implement proper access controls on privileged functions using ownership patterns, role-based access, and multi-signature authorization.

EVM Remediation

Arbitrary Storage Write Remediation

How to eliminate arbitrary storage write vulnerabilities by removing user-controlled assembly SSTORE operations, using Solidity mappings, and enforcing slot allowlists for unavoidable inline assembly.

EVM Remediation

Bridge Message Remediation

How to secure cross-chain bridge message processing by implementing nonce-based replay protection, chain ID binding, explicit state initialization, and validator threshold requirements.

EVM Remediation

Centralization Risks Remediation

How to reduce centralization risk through timelocks, multi-signature wallets, on-chain governance, and hard-coded parameter caps that protect users from compromised or malicious admins.

EVM Remediation

Cross-Chain Balance Inconsistency Remediation

How to eliminate cross-chain bridge balance vulnerabilities by implementing proof deduplication, deep finality requirements, Merkle proof verification, and the lock-and-mint pattern.

EVM Remediation

Default Visibility Remediation

How to eliminate default visibility vulnerabilities by always specifying explicit visibility modifiers on all functions and state variables, and upgrading to Solidity 0.5.0+ which enforces this at compile time.

EVM Remediation

ERC20 Violations Remediation

How to eliminate ERC20 integration vulnerabilities by using SafeERC20 for all token operations, measuring actual received amounts for fee-on-transfer tokens, and handling non-standard token behaviors such as missing return values and rebase mechanics.

EVM Remediation

Use the Sign In button in the navigation bar.

Sigvex

Advanced bytecode decompilation and security analysis across multiple runtimes. Detect vulnerabilities, exploits, and reverse-engineer smart contracts directly on-chain.

Product

Features
How It Works
Pricing

Resources

Knowledge Base
Research
Blog

Company

About
Contact
Security

Legal

Terms of Service
Privacy Policy
Cookie Policy
Acceptable Use

Built for developers, by developers.