Secureum Book
  • 🛡️Secureum Bootcamp
    • 🛡️Secureum Bootcamp
    • 🙌Participate
    • 📜History
  • 📚LEARN
    • Introduction
      • 🔷1. Ethereum Basics
        • 1.1 Ethereum: Concept, Infrastructure & Purpose
        • 1.2 Properties of the Ethereum Infrastructure
        • 1.3 Ethereum vs. Bitcoin
        • 1.4 Ethereum Core Components
        • 1.5 Gas Metering: Solving the Halting Problem
        • 1.6 web2 vs. web3: The Paradigm Shift
        • 1.7 Decentralization
        • 1.8 Cryptography, Digital Signature & Keys
        • 1.9 Ethereum State & Account Types
        • 1.10 Transactions: Properties & Components
        • 1.11 Contract Creation
        • 1.12 Transactions, Messages & Blockchain
        • 1.13 EVM (Ethereum Virtual Machine) in Depth
        • 1.14 Transaction Reverts & Data
        • 1.15 Block Explorer
        • 1.16 Mainnet & Testnets
        • 1.17 ERCs & EIPs
        • 1.18 Legal Aspects in web3: Pseudonymity & DAOs
        • 1.19 Security in web3
        • 1.20 web2 Timescales vs. web3 Timescales
        • 1.21 Test-in-Prod. SSLDC vs. Audits
        • Summary: 101 Keypoints
      • 🌀2. Solidity
        • 2.1 Solidity: Influence, Features & Layout
        • 2.2 SPDX & Pragmas
        • 2.3 Imports
        • 2.4 Comments & NatSpec
        • 2.5 Smart Contracts
        • 2.6 State Variables: Definition, Visibility & Mutability
        • 2.7 Data Location
        • 2.8 Functions
        • 2.9 Events
        • 2.10 Solidity Typing
        • 2.11 Solidity Variables
        • 2.12 Address Type
        • 2.13 Conversions
        • 2.14 Keywords & Shorthand Operators
        • 2.15 Solidity Units
        • 2.16 Block & Transaction Properties
        • 2.17 ABI Encoding & Decoding
        • 2.18 Error Handling
        • 2.19 Mathematical & Cryptographic Functions
        • 2.20 Control Structures
        • 2.21 Style & Conventions
        • 2.22 Inheritance
        • 2.23 EVM Storage
        • 2.24 EVM Memory
        • 2.25 Inline Assembly
        • 2.26 Solidity Version Changes
        • 2.27 Security Checks
        • 2.28 OpenZeppelin Libraries
        • 2.29 DAppSys Libraries
        • 2.30 Important Protocols
        • Summary: 201 Keypoints
      • 🔏3. Security Pitfalls & Best Practices
        • 3.1 Solidity Versions
        • 3.2 Access Control
        • 3.3 Modifiers
        • 3.4 Constructor
        • 3.5 Delegatecall
        • 3.6 Reentrancy
        • 3.7 Private Data
        • 3.8 PRNG & Time
        • 3.9 Math & Logic
        • 3.10 Transaction Order Dependence
        • 3.11 ecrecover
        • 3.12 Unexpected Returns
        • 3.13 Ether Accounting
        • 3.14 Transaction Checks
        • 3.15 Delete Mappings
        • 3.16 State Modification
        • 3.17 Shadowing & Pre-declaration
        • 3.18 Gas & Costs
        • 3.19 Events
        • 3.20 Unary Expressions
        • 3.21 Addresses
        • 3.22 Assertions
        • 3.23 Keywords
        • 3.24 Visibility
        • 3.25 Inheritance
        • 3.26 Reference Parameters
        • 3.27 Arbitrary Jumps
        • 3.28 Hash Collisions & Byte Level Issues
        • 3.29 Unicode RTLO
        • 3.30 Variables
        • 3.31 Pointers
        • 3.32 Out-of-range Enum
        • 3.33 Dead Code & Redundant Statements
        • 3.34 Compiler Bugs
        • 3.35 Proxy Pitfalls
        • 3.36 Token Pitfalls
        • 3.37 Special Token Pitfalls
        • 3.38 Guarded Launch Pitfalls
        • 3.39 System Pitfalls
        • 3.40 Access Control Pitfalls
        • 3.41 Testing, Unused & Redundand Code
        • 3.42 Handling Ether
        • 3.43 Application Logic Pitfalls
        • 3.44 Saltzer & Schroeder's Design Principles
        • Summary: 201 Keypoints
      • 🗜️4. Audit Techniques & Tools
        • 4.1 Audit
        • 4.2 Analysis Techniques
        • 4.3 Specification, Documentation & Testing
        • 4.4 False Positives & Negatives
        • 4.5 Security Tools
        • 4.6 Audit Process
        • Summary: 101 Keypoints
      • ☝️5. Audit Findings
        • 5.1 Criticals
        • 5.2 Highs
        • 5.3 Mediums
        • 5.4 Lows
        • 5.5 Informationals
        • Summary: 201 Keypoints
  • 🌱CARE
    • CARE
      • CARE Reports
  • 🚩CTFs
    • A-MAZE-X CTFs
      • Secureum A-MAZE-X
      • Secureum A-MAZE-X Stanford
      • Secureum A-MAZE-X Maison de la Chimie Paris
Powered by GitBook
On this page
  • Variable Names
  • Uninitialized Variables
  • Constants
  • Unused State/Local Variables
  1. LEARN
  2. Introduction
  3. 3. Security Pitfalls & Best Practices

3.30 Variables

Variable Names

There's a security best practice related to variable names. This ties to the programming style guidelines that we discussed in the Solidity module.

The names of variables should be as distinct and unique from each other as possible because if they are very similar (if they differ by only a few characters or one character), then it could be confusing both to the developer as well as to the security reviewer.

From a developer's perspective, it could lead to replaced usages where the developer uses a different variable than what was intended. As you can imagine, this can have disastrous effects to the functioning of the smart contract.

So variable naming affects readability it affects maintainability and auditability of the code. The best practice is to use very distinct names for the variables meaningful names for the variables, so that errors are avoided.

Uninitialized Variables

Another security pitfall related to variables is the use of uninitialized state or local variables. Remember that in Solidity the default values of uninitialized variables such as address, bool or uint is 0, string is "" and so on.

This results in address variables ending up as the zero address and boolean variables taking the value of false because 0 is effectively false (we have talked about the risks from 0 addresses and bools being false by default will result in the conditionals taking a different branch than what was intended).

The best practice is to make sure that state and local variables are initialized with reasonable values, so that errors are avoided from having the default values being used.

Constants

There is a best practice related to the use of the constant specifier for state variables in Solidity.

State variables whose values do not need to change for the duration of the lifetime of the contract can be declared as constant. This saves Gas because the compiler replaces all the occurrences of such state variables with the constant value. This effectively means that reading such state variables no longer requires the expensive SLOAD instructions.

So the best practice is to identify such state variables whose values do not need to change over the lifetime of the contract and declare them as constant. This also has an additional side effect on improving security because such state variables can no longer be accidentally changed within the different functions of the contract.

Unused State/Local Variables

Another aspect that needs to be paid attention in the use of variables inside contracts is that these could be state variables or local variables. The specific aspect is that if these variables are declared but are never used within the contract.

It could be indicative of missing logic that is expected to be there (that uses these variables in certain ways). It may be missing because the developer forgot to add it or it could simply be indicative of some optimization opportunity where such variables can actually be removed and reduce the size of the byte curve, and therefore reduce the amount of Gas that is used either during deployment or during runtime.

The best practice here is to pay attention to all the variables that are declared (in functions, in the contract, state variables...), see if they are used and, if they are never used, then determine if they need to be removed for optimization, or if there is any logic that is missing that needs to be added that uses those variables.

Previous3.29 Unicode RTLONext3.31 Pointers

Last updated 1 year ago

📚
🔏