Skip to content
Last updated: February 09, 2026

SCWE-068: State Variable Default Visibility

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

In Solidity, state variables have a default visibility of internal, which means they can only be accessed within the contract or derived contracts (not by external callers). Omitting explicit visibility can lead to unintended behavior: for example, if a developer intends private but forgets to specify it, derived contracts can still access the variable; if they intend public but omit it, no getter is generated and external callers cannot read the value. Explicit visibility ensures the variable behaves as intended.

Remediation

Always explicitly specify the visibility of state variables. The possible visibility options are: - public: Accessible by anyone, both externally and internally. - internal: Accessible only within the contract or derived contracts (default). - private: Accessible only within the contract.

Vulnerable Contract Example

contract Vulnerable {
    uint balance;  // Default internal; no getter — external callers cannot read it

    constructor() {
        balance = 100;
    }

    function updateBalance(uint amount) public {
        balance = amount;  // Intended public? Forgot visibility — no automatic getter
    }
}

Fixed Contract Example

contract Secure {
    uint private balance;  // Explicitly set visibility to private

    constructor() {
        balance = 100;
    }

    function updateBalance(uint amount) public {
        balance = amount;  // No external access to the variable
    }
}