Access Control Vulnerabilities

Access control vulnerabilities occur when functions lack proper authorization checks, allowing unauthorized users to execute privileged operations like minting tokens or withdrawing funds.

How It Works

Missing or incorrect access modifiers allow any address to call administrative functions. This can let attackers mint unlimited tokens, change ownership, pause contracts, or drain treasury funds.

Real-World Examples

Poly Network

2021

$611M

An access control flaw in cross-chain relay contracts allowed an attacker to forge privileged transactions.

Wormhole Bridge

2022

$320M

A missing validation check allowed an attacker to forge guardian signatures and mint wrapped ETH.

Code Examples

Vulnerable Code

// VULNERABLE: No access control
function mint(address to, uint256 amount) external {
    _mint(to, amount); // Anyone can mint!
}

function setPrice(uint256 newPrice) external {
    price = newPrice; // Anyone can change price!
}

Secure Code

// FIXED: Proper access control
function mint(address to, uint256 amount) external onlyRole(MINTER_ROLE) {
    _mint(to, amount);
}

function setPrice(uint256 newPrice) external onlyOwner {
    price = newPrice;
}

Prevention

Use OpenZeppelin's Ownable or AccessControl for role-based permissions
Apply the principle of least privilege to all functions
Add access modifiers to every state-changing function
Use multi-sig wallets for critical administrative operations

Related Vulnerabilities

Proxy & Upgradeability Risks

high

Signature Replay Attacks

high

Scan Your Contract for Access Control Vulnerabilities

Our AI-powered auditor automatically detects access control vulnerabilities and 20+ other vulnerability types. Get a detailed report in minutes.

Start Audit View All Vulnerabilities

Authorization

critical severity

Access Control Vulnerabilities

Access control vulnerabilities occur when functions lack proper authorization checks, allowing unauthorized users to execute privileged operations like minting tokens or withdrawing funds.

How It Works

Missing or incorrect access modifiers allow any address to call administrative functions. This can let attackers mint unlimited tokens, change ownership, pause contracts, or drain treasury funds.

Real-World Examples

Poly Network

2021

$611M

An access control flaw in cross-chain relay contracts allowed an attacker to forge privileged transactions.

Wormhole Bridge

2022

$320M

A missing validation check allowed an attacker to forge guardian signatures and mint wrapped ETH.

Code Examples

Vulnerable Code

// VULNERABLE: No access control
function mint(address to, uint256 amount) external {
    _mint(to, amount); // Anyone can mint!
}

function setPrice(uint256 newPrice) external {
    price = newPrice; // Anyone can change price!
}

Secure Code

// FIXED: Proper access control
function mint(address to, uint256 amount) external onlyRole(MINTER_ROLE) {
    _mint(to, amount);
}

function setPrice(uint256 newPrice) external onlyOwner {
    price = newPrice;
}

Prevention

Use OpenZeppelin's Ownable or AccessControl for role-based permissions
Apply the principle of least privilege to all functions
Add access modifiers to every state-changing function
Use multi-sig wallets for critical administrative operations

Related Vulnerabilities

Proxy & Upgradeability Risks

high

Signature Replay Attacks

high

Scan Your Contract for Access Control Vulnerabilities

Our AI-powered auditor automatically detects access control vulnerabilities and 20+ other vulnerability types. Get a detailed report in minutes.

Start Audit View All Vulnerabilities