Security Auditing: Beware of Duplicated Storage in Solidity Smart Contract Development

Reading Time: 2 minutes

CoinFabrik specializes in auditing and developing Dapps.

Solidity semantics are confusing for smart contract developers with experience in traditional programming languages. This semantics can lead to security issues like the one we found in a recent smart contract security audit we did. The following code caught our attention:

In the above code, the create method stores the same information in two different mappings, not a reference. However, when we assign a struct, we get a reference which makes Solidity ambiguous.

A quick test confirms that the compiler is creating two copies. Initially, we thought it was just wasteful to store two copies because it is more expensive. We could save some gas by using an indirect index:

The indirect index also solves a more serious problem that the copies created in the burn method: if the copies are not synchronized, they will eventually contain different information:

If they had an indirect index they will not have such problem.


Solidity mappings are an essential part of most smart contracts, so it helps to get used to the way they work. Every Solidity developer should be aware of the quirks of Solidity mappings. Please see Solidity Frustrations: References and Mapping for examples.
So, to recap, it is important to avoid storing the same information in two mappings.

If you liked this article, you might also like: