Last updated: December 19, 2024
SCWE-010: Hardcoded Constants
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Send Feedback
Relationships
Description
Hardcoded constants refer to values that are embedded directly into the code and cannot be easily changed without modifying the code itself. These constants may include critical parameters, addresses, or settings that could be subject to change based on external factors or evolving needs. Hardcoding these values in the code introduces several issues:
- Lack of flexibility: Once the contract is deployed, these hardcoded values cannot be changed without deploying a new version, leading to inefficiency and reduced adaptability.
- Security risks: Hardcoded values may expose sensitive information or create vulnerabilities if they are not properly protected.
- Upgrade challenges: Contracts with hardcoded constants cannot easily evolve to support new functionality or parameters without requiring costly redeployment.
- Use variables instead of constants: Instead of hardcoding values, define them as variables that can be updated through administrative actions.
- Implement upgradeable contract patterns: Use proxy contracts or other patterns that support upgrades to allow flexibility in modifying constants.
- External configuration: Use off-chain storage for configuration values that can be updated without needing to deploy new contract versions.
Samples
Contract with Hardcoded Constants
pragma solidity ^0.4.0;
contract HardcodedConstants {
address public owner = 0x1234567890abcdef1234567890abcdef12345678; // Hardcoded address
uint public maxSupply = 1000000; // Hardcoded supply limit
function setOwner(address newOwner) public {
owner = newOwner;
}
function setMaxSupply(uint newMaxSupply) public {
maxSupply = newMaxSupply;
}
}
In this example, the owner
address and maxSupply
are hardcoded values that cannot be changed without redeploying the contract. This reduces flexibility and creates potential security risks.
Improved Contract with External Configuration
pragma solidity ^0.4.0;
contract ConfigurableContract {
address public owner;
uint public maxSupply;
constructor(address initialOwner, uint initialMaxSupply) public {
owner = initialOwner;
maxSupply = initialMaxSupply;
}
function setOwner(address newOwner) public {
owner = newOwner;
}
function setMaxSupply(uint newMaxSupply) public {
maxSupply = newMaxSupply;
}
}
In this improved example, the owner
address and maxSupply
are configurable through the constructor, allowing for more flexibility without the need for redeployment.