Access Control
Access control in smart contracts is the system of permissions and roles that restricts which addresses can call privileged functions, preventing unauthorized actions.
In Depth
Access control is one of the most critical smart contract security layers, governing who can execute administrative, sensitive, or state-changing functions. Common patterns include OpenZeppelin's Ownable (single owner) and AccessControl (role-based) contracts. Access control bugs — such as missing modifiers, incorrect role assignments, or unprotected initializers — are among the most frequently exploited vulnerabilities in DeFi. Invariant testing can systematically verify access control by asserting that unprivileged actors can never reach privileged states, providing ongoing confidence that permission boundaries hold across all possible call sequences.
Frequently Asked Questions
What is access control in smart contracts?
Access control determines which addresses can call which functions in a smart contract. It uses patterns like onlyOwner modifiers or role-based systems (e.g., OpenZeppelin AccessControl) to restrict sensitive operations to authorized addresses only.
What are common access control vulnerabilities?
Common access control bugs include missing modifiers on sensitive functions, incorrect role checks, unprotected initializer functions in upgradeable contracts, and overly permissive default roles. These are among the most frequently exploited vulnerability classes in DeFi.
How can invariant testing verify access control?
Invariant testing can define properties like 'only the owner can change this parameter' or 'unprivileged users can never set the fee above X.' The fuzzer then tries millions of call sequences with different actors to verify that these properties hold regardless of the execution path.
Related Terms
Related Blog Posts
Access control bugs in Solidity: real hacks and property-based defense
A missing modifier. A delegatecall to an untrusted address. Access control bugs have caused some of ...
Governance and timelock security: properties for proposal lifecycle
Governance bugs have led to catastrophic exploits. Here are the properties that protect proposal lif...