myctrl.tools

SC01Access Control Vulnerabilities

>Control Description

Improper access control encompasses situations where smart contracts fail to enforce who may invoke privileged behavior, under which conditions, and with which parameters. Modern DeFi systems require enforcement beyond simple `onlyOwner` modifiers, involving governance contracts, multisigs, guardians, proxy admins, and cross-chain routers controlling token minting/burning, reserve movement, pool reconfiguration, pause mechanisms, and implementation upgrades. Weak or inconsistent application of these trust boundaries allows attackers to impersonate privileged actors or manipulate the system into treating untrusted addresses as authorized. **Key Focus Areas:** - Ownership and admin controls (e.g., `onlyOwner`, governors, multisigs) - Upgrade and pause mechanisms (proxy admins, guardians) - Fund movement and accounting (mint/burn, pool reconfigurations, fee routing) - Cross-chain and cross-module trust boundaries (bridges, vault routers, L2 messengers) **Exploitation Methods:** - Missing modifiers or role checks on sensitive functions - Incorrect `msg.sender` assumptions (via delegatecalls or meta-transactions) - Unprotected initialization/re-initialization of contracts or proxies - Privilege confusion across modules

>Prevention & Mitigation Strategies

  1. 1.Utilize battle-tested primitives such as OpenZeppelin's Ownable and AccessControl rather than custom role systems.
  2. 2.Keep privileged roles minimal, clearly documented, and held by well-secured multisigs or governance modules instead of EOAs.
  3. 3.Implement initialization locks for upgradeable contracts using initializer/reinitializer guards with explicit versioning to prevent re-initialization attacks.
  4. 4.Upgrade paths for proxies and core components should be tightly controlled and observable, with events emitted for every privilege change or upgrade so that off-chain monitoring can quickly detect abuse.
  5. 5.Encode access control policies through tests, fuzzing properties, and formal specifications verifying that no unprivileged address can ever drain funds or seize admin control.

>Attack Scenarios

#1Balancer V2 (November 2025, ~$128M loss)

The manageUserBalance function contained improper access controls checking msg.sender against a user-provided op.sender value, which attackers could set to match msg.sender to bypass protections. Attackers masqueraded as pool controllers executing unauthorized WITHDRAW_INTERNAL operations, chained with rounding errors to drain liquidity.

#2Zoth (March 2025, $8.4M loss)

Improper privilege checks around core accounting and administrative functions enabled attackers to compromise the deployer wallet (single EOA controlling admin) and execute a malicious proxy upgrade, withdrawing $8.4M through a malicious implementation.

#3Cork Protocol (May 2025, $11-12M loss)

Uniswap V4 hook callbacks (e.g., beforeSwap) lacked access control validation that callers were the trusted PoolManager. The beforeSwap function had no onlyPoolManager modifier. Attackers called hooks directly with arbitrary parameters, fraudulently obtaining derivative tokens.

>References

Ask AI

Configure your API key to use AI features.