Secureum Book
  • 🛡️Secureum Bootcamp
    • 🛡️Secureum Bootcamp
    • 🙌Participate
    • 📜History
  • 📚LEARN
    • Introduction
      • 🔷1. Ethereum Basics
        • 1.1 Ethereum: Concept, Infrastructure & Purpose
        • 1.2 Properties of the Ethereum Infrastructure
        • 1.3 Ethereum vs. Bitcoin
        • 1.4 Ethereum Core Components
        • 1.5 Gas Metering: Solving the Halting Problem
        • 1.6 web2 vs. web3: The Paradigm Shift
        • 1.7 Decentralization
        • 1.8 Cryptography, Digital Signature & Keys
        • 1.9 Ethereum State & Account Types
        • 1.10 Transactions: Properties & Components
        • 1.11 Contract Creation
        • 1.12 Transactions, Messages & Blockchain
        • 1.13 EVM (Ethereum Virtual Machine) in Depth
        • 1.14 Transaction Reverts & Data
        • 1.15 Block Explorer
        • 1.16 Mainnet & Testnets
        • 1.17 ERCs & EIPs
        • 1.18 Legal Aspects in web3: Pseudonymity & DAOs
        • 1.19 Security in web3
        • 1.20 web2 Timescales vs. web3 Timescales
        • 1.21 Test-in-Prod. SSLDC vs. Audits
        • Summary: 101 Keypoints
      • 🌀2. Solidity
        • 2.1 Solidity: Influence, Features & Layout
        • 2.2 SPDX & Pragmas
        • 2.3 Imports
        • 2.4 Comments & NatSpec
        • 2.5 Smart Contracts
        • 2.6 State Variables: Definition, Visibility & Mutability
        • 2.7 Data Location
        • 2.8 Functions
        • 2.9 Events
        • 2.10 Solidity Typing
        • 2.11 Solidity Variables
        • 2.12 Address Type
        • 2.13 Conversions
        • 2.14 Keywords & Shorthand Operators
        • 2.15 Solidity Units
        • 2.16 Block & Transaction Properties
        • 2.17 ABI Encoding & Decoding
        • 2.18 Error Handling
        • 2.19 Mathematical & Cryptographic Functions
        • 2.20 Control Structures
        • 2.21 Style & Conventions
        • 2.22 Inheritance
        • 2.23 EVM Storage
        • 2.24 EVM Memory
        • 2.25 Inline Assembly
        • 2.26 Solidity Version Changes
        • 2.27 Security Checks
        • 2.28 OpenZeppelin Libraries
        • 2.29 DAppSys Libraries
        • 2.30 Important Protocols
        • Summary: 201 Keypoints
      • 🔏3. Security Pitfalls & Best Practices
        • 3.1 Solidity Versions
        • 3.2 Access Control
        • 3.3 Modifiers
        • 3.4 Constructor
        • 3.5 Delegatecall
        • 3.6 Reentrancy
        • 3.7 Private Data
        • 3.8 PRNG & Time
        • 3.9 Math & Logic
        • 3.10 Transaction Order Dependence
        • 3.11 ecrecover
        • 3.12 Unexpected Returns
        • 3.13 Ether Accounting
        • 3.14 Transaction Checks
        • 3.15 Delete Mappings
        • 3.16 State Modification
        • 3.17 Shadowing & Pre-declaration
        • 3.18 Gas & Costs
        • 3.19 Events
        • 3.20 Unary Expressions
        • 3.21 Addresses
        • 3.22 Assertions
        • 3.23 Keywords
        • 3.24 Visibility
        • 3.25 Inheritance
        • 3.26 Reference Parameters
        • 3.27 Arbitrary Jumps
        • 3.28 Hash Collisions & Byte Level Issues
        • 3.29 Unicode RTLO
        • 3.30 Variables
        • 3.31 Pointers
        • 3.32 Out-of-range Enum
        • 3.33 Dead Code & Redundant Statements
        • 3.34 Compiler Bugs
        • 3.35 Proxy Pitfalls
        • 3.36 Token Pitfalls
        • 3.37 Special Token Pitfalls
        • 3.38 Guarded Launch Pitfalls
        • 3.39 System Pitfalls
        • 3.40 Access Control Pitfalls
        • 3.41 Testing, Unused & Redundand Code
        • 3.42 Handling Ether
        • 3.43 Application Logic Pitfalls
        • 3.44 Saltzer & Schroeder's Design Principles
        • Summary: 201 Keypoints
      • 🗜️4. Audit Techniques & Tools
        • 4.1 Audit
        • 4.2 Analysis Techniques
        • 4.3 Specification, Documentation & Testing
        • 4.4 False Positives & Negatives
        • 4.5 Security Tools
        • 4.6 Audit Process
        • Summary: 101 Keypoints
      • ☝️5. Audit Findings
        • 5.1 Criticals
        • 5.2 Highs
        • 5.3 Mediums
        • 5.4 Lows
        • 5.5 Informationals
        • Summary: 201 Keypoints
  • 🌱CARE
    • CARE
      • CARE Reports
  • 🚩CTFs
    • A-MAZE-X CTFs
      • Secureum A-MAZE-X
      • Secureum A-MAZE-X Stanford
      • Secureum A-MAZE-X Maison de la Chimie Paris
Powered by GitBook
On this page
  • Access Control Specification
  • Access Control Implementation
  • Access Control Modifiers
  • Modifiers Implementation
  • Modifiers Usage
  • Access Control Changes
  1. LEARN
  2. Introduction
  3. 3. Security Pitfalls & Best Practices

3.40 Access Control Pitfalls

Access control deals with assets, actors and actions, or in other words which actors have access to which assets and how much of those assets and what actions can the actors use to access those assets.

Access Control Specification

The access control specification should detail who can access what and why should they have that access, when can that access happen and how much of those assets can the actors access. All these aspects should be very accurately specified in great detail, so that they can be correctly implemented and enforced across the different contracts and functions, and across all the system transitions and flows that happen within those contracts and functions.

This should help determine the trust, the threat models and any assumptions that are being made from this model. Without such an access control specification it will be very hard or even impossible to evaluate if the implementation actually enforces all these aspects.

Access Control Implementation

The implementation of access control should make sure that every aspect of the access control that was specified in the specification is implemented uniformly and accurately across all the actors on all the assets via all the actions possible. The implementation should make sure that none of the actors, assets and flow conditions within actions are missing or may be sidestepped. Such an implementation should help us evaluate if the access control enforcement has been done correctly according to the specification.

Access Control Modifiers

Access control is typically enforced in Solidity smart contacts by means of modifiers. Instead of implementing access control checks that are required for different functions multiple times in each of those functions, modifiers allow us to encapsulate those checks in one place and then these modifiers can be applied on any of those functions that require the access control checks implemented within them. While this encapsulation brings in the desired aspect of modularity, modifiers also impact auditability.

There's a school of thought that believes that modifiers are good for auditability: they make it easier because they implement all the checks in one place, so instead of reviewing the same checks multiple times in multiple functions these checks can be reviewed once within the modifier, then check if these modifiers are applied correctly to all the functions that require those checks, so that makes auditability easier.

On the flip side, there's another school of thought that believes that modifiers are not as good for auditability as thought. The reason is that if there is a contract that has multiple modifiers and many functions that use those modifiers, then remember that the programming style guidelines recommend modifiers to be declared and defined at the beginning of the contract, and all the functions come thereafter so, if an auditor is reviewing functions deep down within the contract and it uses multiple modifiers, then they have to scroll up to the modifiers at the beginning of the contracts to check if the desired checks were implemented and if they were implemented correctly. This switching of context in the process of scrolling is believed to not lead to good auditability.

Nevertheless, modifiers are used extensively and reviewing these modifiers should make sure that they are indeed present on the functions that require the checks implemented by them, that modifiers implement valid checks in a correct manner and their order is also correctly specified for functions that use multiple modifiers.

Modifiers Implementation

Given the critical role of modifiers in access control, modifiers need to be implemented correctly. But what does that mean? Access control in smart contracts is enforced on different addresses that may be classified into different roles with differing privileges.

Like we discussed in earlier modules, contracts may have a simple ownership based access control or a more flexible one based on RBAC. In such RBAC scenarios we need to check that modifiers are enforcing the correct checks on the correct roles, that such checks are composed correctly. Such a correct implementation is critical to access control which is the fundamental aspect of smart contract security and therefore needs to be reviewed very carefully.

Modifiers Usage

It is not sufficient to have the modifiers implemented correctly, but they should be used or applied correctly as well: the questions of which modifiers are used, why are they used, the how/what aspects, what are the parameters passed to them and what should they do with them, the order of modifiers when more than one is present, the when aspect (under what state transitions should they be applied), finally the where aspect (the functions where they're applied to). All such aspects of modifiers their functions and any parameters should have been considered correctly.

Access Control Changes

The access control implemented may need to be changed in some scenarios. In such cases, it is critical that the change is done correctly with respect to the assets actors or actions that are impacted. Using the wrong addresses for assets or actors, or allowing the changes to happen at the wrong times in the context of the application logic may lead to loss or locking of funds. Therefore, access control changes should be validated for correctness, use a two-step process to allow recovery from mistakes and also log changes for transparency and off-chain monitoring.

Previous3.39 System PitfallsNext3.41 Testing, Unused & Redundand Code

Last updated 1 year ago

📚
🔏