SCWE-152: Misuse of Custom Errors Leading to Information Leakage or Wrong Revert Behavior
Stable Version v1.0
This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Relationships¶
- CWE-209: Generation of Error Message Containing Sensitive Information
https://cwe.mitre.org/data/definitions/209.html
Description¶
Custom errors (Solidity 0.8.4+) save gas but can expose internal state if parameters include sensitive data (e.g., balances, private keys, internal addresses). Using the wrong error in a revert can also mislead integrators or hide the actual failure reason. Custom errors are part of the revert payload and can be decoded off-chain.
Remediation¶
- Avoid including sensitive data in custom error parameters.
- Use generic error messages for external-facing reverts when the internal reason is confidential.
- Ensure error selection matches the actual failure condition.
Examples¶
Vulnerable¶
pragma solidity ^0.8.0;
contract Vault {
error InsufficientBalance(uint256 requested, uint256 available);
function withdraw(uint256 amount) external {
uint256 balance = balances[msg.sender];
if (amount > balance) {
revert InsufficientBalance(amount, balance); // Exposes user balance
}
balances[msg.sender] -= amount;
(bool ok, ) = msg.sender.call{value: amount}("");
require(ok, "Transfer failed");
}
}