SC01:2025 - Improper Access Control

Description:

An access control vulnerability is a security flaw that allows unauthorized users to access or modify the contract’s data or functions. These vulnerabilities arise when the contract’s code fails to adequately restrict access based on user permission levels. Access control in smart contracts can relate to governance and critical logic, such as minting tokens, voting on proposals, withdrawing funds, pausing and upgrading the contracts, and changing ownership.

Example (Vulnerable contract):

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Solidity_AccessControl {
    mapping(address => uint256) public balances;

    // Burn function with no access control
    function burn(address account, uint256 amount) public {
        _burn(account, amount);
    }
}

Impact:

Remediation:

Example (Fixed version):

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// Import the Ownable contract from OpenZeppelin to manage ownership
import "@openzeppelin/contracts/access/Ownable.sol";

contract Solidity_AccessControl is Ownable {
    mapping(address => uint256) public balances;

    // Burn function with proper access control, only accessible by the contract owner
    function burn(address account, uint256 amount) public onlyOwner {
        _burn(account, amount);
    }
}

Examples of Smart Contracts That Fell Victim to Improper Access Control Attacks:

  1. HospoWise Hack : A Comprehensive Hack Analysis
  2. LAND NFT Hack : A Comprehensive Hack Analysis