8

I have read many times that sensitive data should never be stored in a transaction, but, specifically, how would the value of a state variable be read if marked private?

nipponese
  • 598
  • 1
  • 5
  • 11
  • From Solidity, you can not read private variables. For direct access of storage, see https://ethereum.stackexchange.com/questions/13910/how-to-read-a-private-variable-from-a-contract – ivicaa Apr 05 '18 at 20:23

2 Answers2

12

For the example contract you gave, it looks like there's a bytes32 state variable at slot 1 with the value "A very strong secret password :)".

I found this by just calling getStorageAt a couple times:

> web3.eth.getStorageAt('0x6260319bcbcbf33f84397ae0000e49b0f50ee075', 0, (e, v) => console.log(v))
0x0000000000000000000000000000000000000000000000000000000000000001
> web3.eth.getStorageAt('0x6260319bcbcbf33f84397ae0000e49b0f50ee075', 1, (e, v) => console.log(v))
0x412076657279207374726f6e67207365637265742070617373776f7264203a29
> web3.eth.getStorageAt('0x6260319bcbcbf33f84397ae0000e49b0f50ee075', 1, (e, v) => console.log(web3.toAscii(v)));
A very strong secret password :)

If we had the source code for the contract, this would be much easier. And if the contract were obfuscated, this would be somewhat harder.

But the bottom line is that everything on the blockchain (including private state variables) is public.

user19510
  • 27,999
  • 2
  • 30
  • 48
  • Interesting. Nice work! – Zack McGinnis Apr 05 '18 at 20:59
  • @smarx do the > marks indicate you're using geth for that? I can't get an attached console session to take js (coffeescript?) like that – nipponese Apr 05 '18 at 23:47
  • I was doing this in Chrome. Not sure what version of JavaScript geth supports, but it probably doesn't like the lambda syntax. In geth, no need for a callback anyway. Just web3.eth.getStorageAt('<address>', 1) should work. – user19510 Apr 05 '18 at 23:50
1

Any contract code deployed to the blockchain can be read/viewed by anyone. This includes variables/functions declared private The only thing private does is restrict access of that variable/function to the contract it is declared within.

From the docs:enter image description here

Zack McGinnis
  • 791
  • 6
  • 6
  • My question is asking for someone to show the steps for viewing the an arbitrary state variable marked private. – nipponese Apr 05 '18 at 20:20
  • In this case, you would need to view the contract code/ABI on etherscan, and determine the value of the variable on your own. – Zack McGinnis Apr 05 '18 at 20:26
  • So for example, https://ropsten.etherscan.io/address/0x6260319bcbcbf33f84397ae0000e49b0f50ee075#code if there's no ABI shown, the string data is not readable? – nipponese Apr 05 '18 at 20:33
  • This question is a possible duplicate of https://ethereum.stackexchange.com/questions/188/how-can-you-decompile-a-smart-contract. With no contract code/ABI, I don't believe it is possible to recover specific values using only opcodes/bytecode (especially if the code was compiled using the optimizer). – Zack McGinnis Apr 05 '18 at 20:46
  • 1
    It is of course possible, though the difficulty goes up. (See my answer for how easy this particular contract is.) – user19510 Apr 05 '18 at 20:57