Intro to Smart Contract Security Audits | Accessing Private Data

Background overview

1. Storage

  • The data in storage is stored permanently. It is stored in the slot as a key-value pair.
  • Data in storage gets written on the blockchain (so they change state), which is why using storage is very expensive.
  • The gas cost to occupy a 256-bit slot is 20,000 gas.
  • Modifying the value of storage will cost 5,000 gas.
  • A certain amount of gas is refunded when a storage slot is cleaned up (i.e. set non-zero bytes to zero).
  • storage has a total of 2²⁵⁶ slots, 32 bytes of data in each slot are stored sequentially in the order of declaration. The data will be stored from the right side of each slot, if adjacent variables fit into a single 32 bytes, then they are stored in packs into the same slot otherwise, a new slot will be enabled for storage.
  • Storage methods of arrays in storage are unique. Arrays in solidity are divided into two types.

2. Memory

  • memory is a byte array with a slot size of 256 bits (32 bytes). Data is only stored during function execution and is deleted after execution. They are not saved to the blockchain.
  • Reading or writing a byte (256 bits) requires 3 gas.
  • In order to avoid too much work for miners, the cost will start to rise after 22 read and write operations.

3. Calldata (call data)

  • calldata is an unmodifiable, non-persistent area used to store function parameters and behaves basically like memory.
  • Calldata is required for arguments to calls to external functions, and can also be used for other variables.
  • It avoids duplication and ensures that data cannot be modified.
  • Arrays and structs with calldata data locations can also be returned from functions, but no assignment to this type is possible.

Vulnerability example

Contract source code

Vulnerability Analysis

Reading Data

Preventative Techniques

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store