Access Control Vulnerability

Access Control Vulnerability Explained in Detail

Access control decides who can run sensitive actions. A vulnerability appears when a privileged action is public, weakly protected, protected by the wrong role, or reachable through an indirect path.

Sensitive actions include withdrawals, minting, upgrades, pausing, role grants, oracle updates, fee changes, and emergency sweeps.

Smart contract example

contract Vault {
    address public owner;

    constructor() {
        owner = msg.sender;
    }

    function withdrawAll() external {
        payable(msg.sender).transfer(address(this).balance);
    }
}

withdrawAll() is missing an owner or role check.

Access Control Vulnerability in Auditing

Access control bugs often lead directly to takeover or fund loss. They also affect governance safety, upgradeable proxy safety, oracle trust, and emergency controls.

Red flags in code

• Public mint, burn, withdraw, sweep, pause, upgradeTo, setOracle, or setFee.

• initialize() or grantRole() callable by the wrong account.

• Role admin assigned to an EOA when a multisig or timelock is expected.

• Authorization checked in the UI but not in the contract.

• Privileged actions reachable through multicall, callbacks, proxies, or delegatecall.

• Emergency functions bypass normal accounting.

How to test or review it

• List every state-changing external function.

• Mark who should be allowed to call each sensitive function.

• Test each privileged function from an unprivileged address.

• Review indirect execution paths through routers, proxies, governance, and external calls.

• Verify deployed role holders match the intended multisig, timelock, or governance contract.

• Check ownership transfer, renounce, and role-admin flows separately.