SKIP TO CONTENT
Security

Access Control

Mechanisms restricting who can call specific smart contract functions or modify state.

What is Access Control?

Access control in smart contracts refers to the mechanisms that restrict which addresses can call specific functions or modify contract state. Proper access control is fundamental to protocol security, preventing unauthorized actions.

Why Access Control Matters

Without access control:

  • Anyone could drain treasury funds
  • Attackers could modify critical parameters
  • Privileged operations would be public
  • Protocol integrity would be impossible

Common Access Control Patterns

Ownable: Single owner address with admin privileges. Simple modifier checks if sender equals owner address. Role-Based (RBAC): Multiple roles with different permissions. Roles like ADMINROLE, MINTERROLE, PAUSER_ROLE each have specific capabilities. Multi-Signature: Multiple parties must approve actions. Requires threshold of approvals before execution.

OpenZeppelin Access Control

The industry standard implementation provides:

  • Role-based permission system
  • Role admin hierarchy
  • Access enumeration
  • Standardized interfaces

Access Control Best Practices

Principle of Least Privilege: Grant minimum necessary permissions Separation of Duties: Split sensitive operations across roles Time Delays: Add timelocks for critical changes Revocability: Ability to remove access when needed Transparency: Publish role assignments and policies

Privileged Roles in DeFi

Common privileged roles include:

  • Admin: Full protocol control
  • Guardian: Emergency pause capability
  • Oracle Updater: Price feed management
  • Governance: Parameter changes
  • Minter: Token creation rights

Access Control Risks

Centralization: Too few addresses controlling critical functions Key Compromise: Privileged keys getting stolen Upgrade Risk: Upgrade capabilities as super-admin power Hidden Privileges: Undisclosed admin functions

Decentralization Strategies

Protocols progressively decentralize access:

  1. Start with team multisig
  2. Add timelock for changes
  3. Transition to governance control
  4. Remove admin keys entirely

Auditing Access Control

Security audits examine:

  • All privileged functions
  • Role assignment logic
  • Emergency capabilities
  • Upgrade mechanisms
  • Hidden or obscured permissions

Examples

  • OpenZeppelin AccessControl is industry standard
  • Aave uses role-based permissions with timelock

Related Terms

See this concept in action across live DeFi protocols.

Track live yields, compare protocols, and build your DeFi portfolio with Fensory.

GET EARLY ACCESSArrow right
← BACK TO GLOSSARY