Debug Statements Left
id: LS14I
title: Debug Statements Left
baseSeverity: I
category: code-quality
language: solidity
blockchain: [ethereum]
impact: Accidental disclosure or gas waste
status: draft
complexity: low
attack_vector: internal
mitigation_difficulty: easy
versions: [">=0.6.0", "<0.8.24"]
cwe: CWE-489
swc: SWC-135
π Description
- Leaving debug statements such as console.log, emit Debug(...), or internal markers in production smart contracts introduces unnecessary gas overhead and can inadvertently leak sensitive state variables.
- In production environments, these debug artifacts offer no functional benefit and clutter the execution trace, consuming gas and potentially revealing internal logic or variable states that attackers can use to inform exploit paths.
π¨ Vulnerable Code
import "hardhat/console.sol";
contract Vault {
uint public balance;
function deposit() public payable {
balance += msg.value;
console.log("Deposit received: ", msg.value); // Debug left in code
}
}
π§ͺ Exploit Scenario
- Developer tests contract using Hardhat with console.log statements.
- Debug statement is accidentally left before deployment.
- When compiled for a non-local network, deployment fails, or gas is wasted unnecessarily.
- If instead it's a custom emit Debug(...), it bloats logs with redundant data and may leak internal values like keys, addresses, or balances.
Assumptions
- Assumes devs donβt clean up pre-deployment. Public contract visibility allows anyone to read emitted debug data.
β Fixed Code
// Removed console.log for cleaner, production-ready code
contract Vault {
uint public balance;
function deposit() public payable {
balance += msg.value;
}
}
π§ Contextual Severity
- context: "Default"
severity: I
reasoning: "Adds unnecessary gas usage or log clutter; not a security bug."
- context: "Production Contract with emit-based Debug Events"
severity: M
reasoning: "May leak sensitive variables and pollute logs, increasing attack surface."
- context: "Local Test Contract"
severity: I
reasoning: "No impact if used in test-only builds or scripts."
π‘οΈ Prevention
Primary Defenses
- Remove all console.log or emit Debug(...) before deploying.
- Use network-aware flags to strip debug-only code during build.
Additional Safeguards
- Use separate test/development branches or folders.
- Automate lint checks to reject builds containing debug artifacts.
Detection Methods
- Solhint with custom rules
- Slither can detect event emissions
π°οΈ Historical Exploits
- Name: Voltage Finance Reentrancy Exploit
- Date: March 2022
- Loss: Approximately $4.67 million
- Post-mortem: Link to post-mortem
π Further Reading
- SWC-135: Code With No Effects β SWC Registry
- Hardhat Docs: console.log Usage
- Slither: Detect Debug Artifacts
β Vulnerability Report
id: LS14I
title: Debug Statements Left
severity: I
score:
impact: 1
exploitability: 1
reachability: 5
complexity: 1
detectability: 5
finalScore: 2.0
π Justifications & Analysis
- Impact: Minimal impact, mostly around gas cost or log pollution.
- Exploitability: Requires accidental inclusion and user interaction.
- Reachability: Easy to reach in functions containing debug code.
- Complexity: Simple mistake; attacker requires no effort.
- Detectability: Easily caught via code review or automated tools.