Access Control Vulnerability in DeFi | QuillAudits

Table of Contents:

What does “Access Control” mean?

Importance of use of access controls:

1. It helps protect critical functions from unauthorized access.

2. It helps in creating different levels of authorization.

3. It helps in Whitelisting and blacklisting users.

4. Granting and Revoking Roles:

Real-life Exploits Case Studies:

1. Rikkei Finance:

function setOracleData(address rToken, oracleChainlink _oracle) external { //vulnerable point
oracleData[rToken] = _oracle;
}

2. Ragnarok Online Invasion:

function transferOwnership(address newOwner) public virtual {
require(newOwner != address(0), "Ownable: new owner is the zero address");
emit OwnershipTransferred(_owner, newOwner);
_owner = newOwner;
}

3. UERII Token:

function mint() public returns (bool) { 
_mint( msg.sender, 100000000000000000 );
return true;
}

Openzeppelin’s access control Libraries:

1. Ownership and Ownable:

2. Role-Based Access Control (RBAC):

A small challenge for you:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.1;

conract accessControlVuln {

error notWhitelisted();
bool pwn;
address owner;
mapping(address => bool) whitelistedMinters;

constructor() {
owner = msg.sender;
}
modifier whitelisted(address addr) {
if(!whitelistedMinters[addr]) revert notWhitelisted();
_;
}
function addToWhitelist(address addr) public {
require(addr != address(0), "Zero address");
whitelistedMinters[addr] = true;
}
function changeOwner(address addr) public whitelisted(addr) {
owner = msg.sender;
}
function pwnOwner() public {
require (msg.sender == owner);
pwn = true;
}
}

Web3 security- Need of the hour

Want more Such Security Blogs & Reports?

Partner with QuillAudits :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store