Solidity Attack Vector #21: Accessing Private Data

A common misconception among new Solidity developers is that marking a variable as private hides its data from the world.

The Reality

The private keyword only prevents other contracts from reading the variable. However, because everything on the blockchain is public, anyone can read the raw storage of your contract from an off-chain script.

Exploit Example

An attacker can use web3.eth.getStorageAt(contractAddress, slotIndex) to read any variable, including passwords, private keys (never store these!), or hidden game moves.

Defense

If data needs to be truly secret until a certain time (like a bid or a move), use a Commit-Reveal scheme:

1. User submits a hash of their data (keccak256(data + salt)).

2. Later, the user reveals the original data and salt to verify the hash.