🚀
Smart Contract Auditors Space
  • 👋Welcome to the Smart Contract Auditors Space
  • Smart Contract Vulnerabilities
    • FV-SOL-1 Reentrancy
      • FV-SOL-1-C1 Single Function
      • FV-SOL-1-C2 Cross Function
      • FV-SOL-1-C3 Cross Contract
      • FV-SOL-1-C4 Cross Chain
      • FV-SOL-1-C5 Dynamic
      • FV-SOL-1-C6 Read-Only
    • FV-SOL-2 Precision Errors
      • FV-SOL-2-C1 Token Decimals
      • FV-SOL-2-C2 Floating Point
      • FV-SOL-2-C3 Rounding
      • FV-SOL-2-C4 Division by Zero
      • FV-SOL-2-C5 Time-Based
    • FV-SOL-3 Arithmetic Errors
      • FV-SOL-3-C1 Overflow and Underflow
      • FV-SOL-3-C2 Sign Extension
      • FV-SOL-3-C3 Truncation in Type Casting
      • FV-SOL-3-C4 Misuse of Environment Variables
    • FV-SOL-4 Bad Access Control
      • FV-SOL-4-C1 Using tx.origin for Authorization
      • FV-SOL-4-C2 Unrestricted Role Assignment
      • FV-SOL-4-C3 Lack of Multi-Signature for Crucial Operations
    • FV-SOL-5 Logic Errors
      • FV-SOL-5-C1 Boundary Misalignment
      • FV-SOL-5-C2 Incorrect Conditionals
      • FV-SOL-5-C3 Improper State Transitions
      • FV-SOL-5-C4 Misordered Calculations
      • FV-SOL-5-C5 Event Misreporting
    • FV-SOL-6 Unchecked Returns
      • FV-SOL-6-C1 Unchecked Call Return
      • FV-SOL-6-C2 Unchecked Transfer Return
      • FV-SOL-6-C3 Silent Fail
      • FV-SOL-6-C4 False Positive Success Assumption
      • FV-SOL-6-C5 Partial Execution with No Rollback
      • FV-SOL-6-C6 False Contract Existence Assumption
    • FV-SOL-7 Proxy Insecurities
      • FV-SOL-7-C1 delegatecall Storage Collision
      • FV-SOL-7-C2 Function Selector Collision
      • FV-SOL-7-C3 Centralized Update Control
      • FV-SOL-7-C4 Uninitialized Proxy
    • FV-SOL-8 Slippage
    • FV-SOL-9 Unbounded Loops
    • FV-SOL-10 Oracle Manipulation
Powered by GitBook
On this page
  • TLDR
  • Code
  • Classifications
  • Lack of Multi-Signature for Crucial Operations (FV-SOL-4-C3)
  • Mitigation Patterns
  • Ownership Pattern (FV-SOL-4-M1)
  • Proper RBAC (FV-SOL-4-M2)
  • Multi-Signature Approval (FV-SOL-4-M3)
  • Actual Occurrences
  • Content

Was this helpful?

FV-SOL-4 Bad Access Control

TLDR

Improper access control can let unauthorized users access or modify restricted functionality

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract BadAccessControl {
    address public owner;

    constructor() {
        owner = msg.sender;
    }

    function deposit() public payable {}

    function withdraw() public {
        // No access control here, anyone can call this
        payable(msg.sender).transfer(address(this).balance);
    }
}

Classifications

FV-SOL-4-C1 Using tx.origin for Authorization

FV-SOL-4-C2 Unrestricted Role Assignment

Lack of Multi-Signature for Crucial Operations (FV-SOL-4-C3)

if a critical function (like transferring large funds or changing important contract settings) is controlled by a single address (usually the contract owner), it creates a single point of failure

Mitigation Patterns

Ownership Pattern (FV-SOL-4-M1)

The ownership pattern restricts critical functions to the contract owner, usually set during contract deployment. This is commonly achieved with an onlyOwner modifier

Proper RBAC (FV-SOL-4-M2)

Role-Based Access Control allows defining multiple roles, each with specific permissions. For example, roles like Admin, Minter, or Pauser can be created, allowing more granular control

Multi-Signature Approval (FV-SOL-4-M3)

Multi-sig patterns require multiple accounts to approve a critical action before it can be executed. This reduces the risk of unauthorized actions due to a compromised account

Actual Occurrences

  • https://solodit.cyfrin.io/issues/h-02-eth-gets-locked-in-the-groupcoinfactory-contract-pashov-audit-group-none-groupcoin-markdown

Content

PreviousFV-SOL-3-C4 Misuse of Environment VariablesNextFV-SOL-4-C1 Using tx.origin for Authorization

Last updated 12 days ago

Page cover image