πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Improper Access Control

Access control vulnerabilities in smart contracts arise when functions or state variables are insufficiently restricted, enabling unauthorised accounts to invoke privileged operations or alter critical on-chain data. These flaws often result from missing or misconfigured access modifiers, incorrect initialisation of ownership, or reliance on unsafe patterns for authorisation.

Remediation

  • Apply explicit access control to all privileged functions using patterns such as onlyOwner or role-based permissions.
  • Use vetted libraries or frameworks (e.g., OpenZeppelin’s Ownable, AccessControl) to enforce consistent and well-tested access restrictions.
  • Ensure constructors and initialisation routines correctly assign ownership and roles at deployment.
  • Avoid tx.origin for access checks; rely on msg.sender combined with robust role verification.
  • Require multi-signature or multi-party approvals for high-value or irreversible operations.

Metadata

  • Severity: medium
  • Slug: improper-access-control

CWEs

  • 284: Improper Access Control
  • 285: Improper Authorization

OWASP

  • SC01:2025: Access Control Vulnerabilities
  • SC03:2025: Logic Errors

Available Labs

Open Move labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.