Default Visibility
Function Default Visibility
Functions that do not have a function visibility type specified are public
by default. This can lead to a vulnerability if a developer forgot to set the visibility and a malicious user is able to make unauthorized or unintended state changes.
Function visibility can be specified as either: public, private, internal, or external. It's important to consider which visibility is best for your smart contract function.
Many smart contract attacks are caused by a developer forgetting or forgoing to use a visibility modifier. The function is then set as public by default, which can lead to unintended state changes.
State Variable Default Visibility
It's common for developers to explicitly declare function visibility, but not so common to declare variable visibility. State variables can have one of three visibility identifiers: public
, internal
, or private
. Luckily, the default visibility for variables is internal and not public, but even if you intend on declaring a variable as internal, it's important to be explicit so that there are no incorrect assumptions as to who can access the variable.
Remediation
Functions can be specified as being external
, public
, internal
or private
. It is recommended to make a conscious decision on which visibility type is appropriate for a function. This can dramatically reduce the attack surface of a contract system.
Examples
visibility_not_set.sol
visibility_not_set.yaml
visibility_not_set_fixed.sol
visibility_not_set_fixed.yaml
Resources
Last updated