In Solidity, every function can have one of four visibility specifiers:
public → anyone can call it, including other contracts and externally.external → only external calls (cheaper than public for simple inputs).internal → only this contract and its children can call it.private → only this contract can call it.If you don’t explicitly declare it… the compiler picks a default.
Before Solidity 0.5.0 (old versions), the default visibility for functions was public.
That means if you forgot to specify visibility, your function was exposed to the world.
pragma solidity ^0.4.24;
contract Wallet {
address owner;
function Wallet() { // constructor (old syntax)
owner = msg.sender;
}
// Forgot to add visibility
function kill() {
selfdestruct(owner);
}
}
Looks like only the contract itself should call kill(), right?
But since no visibility is specified, kill() defaults to public.
That means anyone can call it → anyone can self-destruct your wallet.
This happened in real contracts, and money was lost.