Skip to content
Last updated: March 11, 2025

SCWE-057: Write to Arbitrary Storage Location

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

Writing to arbitrary storage locations can occur when a contract fails to properly validate inputs before interacting with storage variables. An attacker may exploit this vulnerability to overwrite sensitive storage slots, leading to unintended contract behavior, state manipulation, or loss of funds.

Remediation

To mitigate this vulnerability, ensure that all inputs to storage-related operations are properly validated. Avoid allowing external users to specify arbitrary storage locations. Use access control mechanisms to restrict who can modify sensitive state variables and ensure that only trusted users or contract functions can write to critical storage locations.

Vulnerable Contract Example

contract ArbitraryStorageWrite {
    uint256 public balance;

    function setStorage(uint256 storageLocation, uint256 value) public {
        assembly {
            sstore(storageLocation, value)  // Writing to arbitrary storage location
        }
    }
}

Fixed Contract Example

contract SecureStorageWrite {
    uint256 public balance;
    address public owner;

    modifier onlyOwner() {
        require(msg.sender == owner, "Not the owner");
        _;
    }

    constructor() {
        owner = msg.sender;
    }

    function setBalance(uint256 value) public onlyOwner {
        balance = value;  // Only the owner can modify the balance
    }
}