Access Control Vulnerabilities
Vulnerability: Improper Access Control
Description:
An access control vulnerability is a security flaw that allows unauthorized users to access or modify the contract's data or functions. These vulnerabilities arise when the contract's code fails to adequately restrict access based on user permission levels. Access control in smart contracts can relate to governance and critical logic, such as minting tokens, voting on proposals, withdrawing funds, pausing and upgrading the contracts, and changing ownership.
Example (HospoWise Hack):
function burn(address account, uint256 amount) public { //No proper access control is implemented for the burn function
_burn(account, amount);
}
}
Impact:
- Attackers can gain unauthorized access to critical functions and data within the contract, compromising its integrity and security.
- Vulnerabilities can lead to the theft of funds or assets controlled by the contract, causing significant financial damage to users and stakeholders.
- Ensure initialization functions can only be called once and exclusively by authorized entities.
- Use established access control patterns like Ownable or RBAC (Role-Based Access Control) in your contracts to manage permissions and ensure that only authorized users can access certain functions. This can be done by adding appropriate access control modifiers, such as
onlyOwner
or custom roles to sensitive functions.
Examples of Smart Contracts That Fell Victim to Improper Access Control Attacks:
- HospoWise Hack : A Comprehensive Hack Analysis
- LAND NFT Hack : A Comprehensive Hack Analysis