Improper Access Control

Access control vulnerabilities in smart contracts arise when functions or state variables are insufficiently restricted, enabling unauthorised accounts to invoke privileged operations or alter critical on-chain data. These flaws often result from missing or misconfigured access modifiers, incorrect initialisation of ownership, or reliance on unsafe patterns for authorisation.

Remediation

Apply explicit access control to all privileged functions using patterns such as `onlyOwner` or role-based permissions.
Use vetted libraries or frameworks (e.g., OpenZeppelin’s `Ownable`, `AccessControl`) to enforce consistent and well-tested access restrictions.
Ensure constructors and initialisation routines correctly assign ownership and roles at deployment.
Avoid `tx.origin` for access checks; rely on `msg.sender` combined with robust role verification.
Require multi-signature or multi-party approvals for high-value or irreversible operations.

Metadata

Severity: medium
Slug: improper-access-control

CWEs

284: Improper Access Control
285: Improper Authorization

OWASP

SC01:2025: Access Control Vulnerabilities
SC03:2025: Logic Errors

Available Labs

Open Move labs in SecDim Play for this vulnerability.

easy

DAO Governance.move

Move Easy

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.