apegurus/access-control

<!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) --> <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->

Access Control Exploits

Overview

Access control vulnerabilities occur when unauthorized users can execute privileged functions. These are often the simplest bugs but cause catastrophic losses.

Total Losses: $1B+ across DeFi

---

Attack Patterns

1. Missing Access Control

// VULNERABLE: Anyone can call
function mint(address to, uint256 amount) external {
    _mint(to, amount);
}

// SECURE: Access control
function mint(address to, uint256 amount) external onlyMinter {
    _mint(to, amount);
}

2. Unprotected Initialize

// VULNERABLE: Anyone can initialize
function initialize(address _admin) external {
    admin = _admin;
}

// SECURE: Initializer modifier
function initialize(address _admin) external initializer {
    admin = _admin;
}

3. tx.origin Authentication

// VULNERABLE: tx.origin can be manipulated
function withdraw() external {
    require(tx.origin == owner, "Not owner");
    payable(owner).transfer(address(this).balance);
}

// Attack: Trick owner into calling attacker's contract
contract Attacker {
    function attack(VulnerableContract target) external {
        target.withdraw();  // tx.origin is still the owner!
    }
}

4. Privilege Escalation

// VULNERABLE: Admin can make anyone admin
function setAdmin(address newAdmin) external onlyAdmin {
    admin = newAdmin;  // No checks on newAdmin
}

// SECURE: Multi-sig or timelock for admin changes

5. Signature Replay

// VULNERABLE: Same signature works multiple times
function executeWithSig(bytes calldata data, bytes calldata sig) external {
    address signer = recover(keccak256(data), sig);
    require(signer == admin, "Invalid sig");
    // Execute...
}

// SECURE: Include nonce
mapping(address => uint256) public nonces;

function executeWithSig(bytes calldata data, uint256 nonce, bytes calldata sig) external {
    require(nonce == nonces[msg.sender]++, "Invalid nonce");
    bytes32 hash = keccak256(abi.encode(data, nonce, address(this), block.chainid));
    address signer = recover(hash, sig);
    require(signer == admin, "Invalid sig");
    // Execute...
}

---

Real Exploits

Ronin Bridge (Mar 2022) — $625M

What happened:

• Attackers compromised 5 of 9 validator keys
• 4 keys from Sky Mavis, 1 from Axie DAO
• Signed fraudulent withdrawals

Root cause: Insufficient key distribution + social engineering

Lesson: Multi-sig threshold must assume some keys will be compromised.

Parity Wallet (Nov 2017) — $150M Frozen

What happened:

• Library contract had unprotected initWallet()
• Random user called it, became owner
• Called kill(), destroyed library
• All wallets using library became unusable

Root cause: Unprotected initialize function on library contract

// The fatal function
function initWallet(address[] _owners, uint _required, uint _daylimit) {
    // NO ACCESS CONTROL
    initMultiowned(_owners, _required);
}

Lesson: ALL contracts need access control, especially libraries.

Wormhole (Feb 2022) — $326M

What happened:

• Attacker exploited signature verification bug
• Forged guardian signatures
• Minted 120k ETH on Solana, bridged to Ethereum

Root cause: Improper signature verification in Solana program

Poly Network (Aug 2021) — $611M

What happened:

• Attacker exploited cross-chain message verification
• Changed the keeper address to attacker-controlled address
• Drained assets across multiple chains

Root cause: Insufficient validation of cross-chain calls

---

Detection Checklist

Function-Level

• [ ] Does every state-changing function have appropriate access control?
• [ ] Are there functions without any modifiers that should have them?
• [ ] Is onlyOwner/onlyAdmin used consistently?
• [ ] Can critical functions be called by anyone?

Initialization

• [ ] Is initialize() protected with initializer modifier?
• [ ] Can initialize be called multiple times?
• [ ] Is the implementation contract also initialized?
• [ ] Are all state variables properly set in initialize?

Authentication

• [ ] Is tx.origin used anywhere? (Almost always wrong)
• [ ] Are signatures properly validated with nonce/chainId/address?
• [ ] Can signatures be replayed across chains or contracts?
• [ ] Is there proper domain separation in signatures?

Privilege Management

• [ ] Can admin change critical parameters without timelock?
• [ ] Is there a way to revoke compromised admin access?
• [ ] Are role changes logged with events?
• [ ] Is there role hierarchy that could be exploited?

Secure Patterns

OpenZeppelin AccessControl

import "@openzeppelin/contracts/access/AccessControl.sol";

contract Secure is AccessControl {
    bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE");
    
    constructor() {
        _grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
    }
    
    function mint(address to, uint256 amount) external onlyRole(MINTER_ROLE) {
        _mint(to, amount);
    }
}

Two-Step Ownership Transfer

address public pendingOwner;

function transferOwnership(address newOwner) external onlyOwner {
    pendingOwner = newOwner;
}

function acceptOwnership() external {
    require(msg.sender == pendingOwner, "Not pending owner");
    owner = pendingOwner;
    pendingOwner = address(0);
}

Initializer Pattern

import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

contract MyContract is Initializable {
    address public admin;
    
    /// @custom:oz-upgrades-unsafe-allow constructor
    constructor() {
        _disableInitializers();  // Protect implementation
    }
    
    function initialize(address _admin) external initializer {
        admin = _admin;
    }
}

---

References

• SWC-105: Unprotected Ether Withdrawal
• SWC-115: Authorization through tx.origin
• OpenZeppelin Access Control
• Ronin Post-Mortem

Detection Heuristics (kadenzipfel)

Preconditions

• Contract has functions that modify sensitive state (ownership, balances, fees, minting, pausing, protocol parameters)
• Those functions lack access control modifiers (onlyOwner, onlyRole, etc.) or require(msg.sender == ...) checks
• OR: access control exists but is incomplete (e.g., role assignments themselves are unprotected)

Vulnerable Pattern

address public owner;
uint256 public feeRate;

// Missing access control — anyone can call
function setFeeRate(uint256 newRate) external {
    feeRate = newRate;
}

// Missing access control — anyone can take ownership
function setOwner(address newOwner) external {
    owner = newOwner;
}

// Incomplete: role grant is unprotected
function grantRole(address user, bytes32 role) external {
    // Missing: require(hasRole(ADMIN_ROLE, msg.sender))
    _roles[role][user] = true;
}

Detection Heuristics

1. Identify all external and public functions that modify state variables
2. For each, check if it has an access control modifier (onlyOwner, onlyRole, whenNotPaused, etc.) or an inline require(msg.sender == ...) check
3. If a state-changing function has no access control, flag it — especially if it modifies ownership, balances, fees, or addresses
4. Check that role/permission management functions themselves are protected (e.g., grantRole requires ADMIN_ROLE)
5. Check initialize() functions in upgradeable contracts — they must have an initializer modifier to prevent re-initialization

False Positives

• The function is intentionally permissionless by design (e.g., deposit(), claim() where anyone should be able to call)
• Access control is enforced in an internal function that the external function always calls through
• The contract is an implementation behind a proxy, and access control is enforced at the proxy level

Remediation

• Add explicit access control to every state-changing function that should be restricted
• Use OpenZeppelin's Ownable or AccessControl for standardized role management
• Protect initialize() with the initializer modifier
• Apply the principle of least privilege: each function should require the minimum role necessary

import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";

contract Secure is Ownable {
    function setFeeRate(uint256 newRate) external onlyOwner {
        feeRate = newRate;
    }
}