Last updated: February 06, 2026

SCWE-097: Missing Explicit Function Visibility

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-284: Improper Access Control
  https://cwe.mitre.org/data/definitions/284.html

Description

When a function’s visibility is omitted in Solidity, it defaults to public, allowing any caller to invoke logic that may have been intended to be internal or private. This expands the attack surface, enabling unauthorized state changes, fund movements, or reentrancy entry points.

Remediation

• Explicitly declare visibility (private, internal, public, external) on every function.
• Use linters/static analysis to enforce visibility declarations.
• Restrict privileged logic with proper access modifiers and role checks.

Examples

Vulnerable

pragma solidity ^0.8.0;

contract Vault {
    uint256 public balance;

    function withdraw(uint256 amount) { // defaults to public
        balance -= amount;
        payable(msg.sender).transfer(amount);
    }
}

Fixed

pragma solidity ^0.8.0;

contract Vault {
    uint256 public balance;

    function withdraw(uint256 amount) external {
        // add proper access control or business checks here
        balance -= amount;
        (bool ok, ) = msg.sender.call{value: amount}("");
        require(ok, "Transfer failed");
    }
}