The $1.5 billion Bybit hack of February 2025, executed through interface manipulation rather than a smart contract vulnerability, has renewed focus on access control mechanisms across the DeFi ecosystem. With Ethereum at $2,821 and the total value locked in DeFi protocols exceeding tens of billions as of February 23, 2025, the technical integrity of access control systems is more critical than ever. This tutorial walks through advanced techniques for auditing smart contract access control.
The Objective
The goal of an access control audit is to verify that every privileged operation within a smart contract system is properly restricted to authorized roles, that role hierarchies are correctly implemented, and that no pathway exists for unauthorized privilege escalation. The CISA alert on CVE-2025-24989 — a Microsoft Power Pages improper access control flaw with a CVSS score of 8.2 — demonstrates that access control vulnerabilities are not limited to smart contracts but represent a systemic risk across all web infrastructure, including the interfaces that interact with blockchain systems.
Prerequisites
This tutorial assumes familiarity with Solidity, the OpenZeppelin access control library, and basic security auditing tools including Slither and Mythril. You will need access to a local blockchain development environment such as Hardhat or Foundry, and a copy of the target contract source code. Understanding of the EVM execution model, particularly how storage slots are accessed and how delegatecall operates, is essential for identifying the most critical access control vulnerabilities.
Begin by setting up your audit environment. Clone the target repository and install all dependencies. Verify that the contract compiles without warnings — compiler warnings often indicate access control issues that developers have overlooked. Configure your static analysis tools to run against the specific Solidity version used by the target contracts.
Step-by-Step Walkthrough
Start with role mapping. Identify every address or contract that holds a privileged role within the system. This includes contract owners, administrators, pausers, minters, and any custom roles defined by the protocol. Document each role and its associated permissions in a matrix format.
Next, trace every external and public function in the contract system. For each function, determine whether it modifies state, and if so, what access control modifier protects it. Flag any state-modifying function that lacks an access control check — these are immediate critical findings.
Examine the role hierarchy carefully. In many protocols, roles are organized hierarchically: an admin role can grant other roles, a timelock can execute governance decisions, and so on. Verify that no circular dependency exists in the role grant mechanism. An attacker who gains a lower-privileged role should never be able to escalate to a higher-privileged role through the contract logic itself.
Analyze all delegatecall operations. A delegatecall preserves the calling context, which means the called contract operates with the permissions and storage of the caller. If the target of a delegatecall can be modified by an unauthorized party, the entire access control system can be bypassed. Verify that delegatecall targets are either immutable or can only be modified through proper governance mechanisms with adequate timelocks.
Check for storage slot collisions in upgradeable contracts. Proxy patterns that use delegatecall share storage layout between the proxy and implementation contracts. If an implementation contract writes to a storage slot that the proxy uses for access control data, an attacker could overwrite role assignments. Use tools like Slither storage-layout detector to identify potential collisions.
Troubleshooting
If you identify a function that appears to lack access control, check whether the contract inherits protection from a parent contract before classifying it as a vulnerability. Some protocols implement access control through modifiers defined in base contracts that may not be immediately visible in the child contract source.
For upgradeable contracts, verify that the initialization functions can only be called once. Many proxy patterns use an initializer instead of a constructor, and if the initializer lacks proper protection, an attacker could re-initialize the contract and set themselves as the owner.
Pay special attention to any function that accepts addresses as parameters and uses those addresses for privileged operations. If an attacker can influence the address parameter, they may be able to redirect privileged calls to a contract they control.
Mastering the Skill
To deepen your access control auditing capabilities, study real-world exploits. The Bybit hack, while not a smart contract vulnerability per se, demonstrates that the interface layer between users and contracts is a critical attack surface. Practice auditing complete DeFi protocols including their governance timelocks, upgrade mechanisms, and emergency pause functions. Contribute to public audit contests on platforms like Code4rena and Sherlock to gain exposure to diverse access control patterns. Build a personal checklist of common access control patterns and their associated vulnerabilities. The most effective auditors develop an intuition for where access control is likely to be implemented incorrectly, allowing them to focus their attention on the highest-risk areas first.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
linking the bybit UI attack to smart contract access control audits is a stretch tbh. totally different threat models
different threat models yeah, but the overlap is that both involve trust assumptions about who can call what. the bybit attack exploited interface trust, smart contract attacks exploit function level trust. same category of vulnerability
role hierarchies in solidity are one of those things every dev thinks they nailed until the audit report says otherwise
Had a junior dev grant DEFAULT_ADMIN_ROLE to a hot wallet once. Audit caught it, but it was a close call. Always review role assignments.
DEFAULT_ADMIN_ROLE to a hot wallet is one of the most common audit findings. seen it on three separate projects last quarter alone. teams need an access control checklist
checklist wont save you if nobody enforces it. seen teams acknowledge the finding in the audit report and ship to mainnet without fixing it
the acknowledged but shipping anyway pattern is why on-chain monitoring matters more than the audit itself. real time alerts catch what audits miss
three projects last quarter with the exact same finding and teams still ship it. access control reviews need to be a CI gate not a post deploy audit checkbox
CI gate for access control reviews is the only fix. if you wait for the audit you are already too late
seen the exact same finding on three audits this year. multisig for admin roles should be the default not a recommendation
had the same thing on a gnosis safe. junior set owner to their metamask. audit saved us too. access control reviews should be mandatory
junior dev plus admin role plus hot wallet is the unholy trinity. seen it on three separate code reviews last year alone
the CVE-2025-24989 comparison is spot on. improper access control is the same bug whether its in a smart contract or a web app. devs keep making the same mistake across every layer
exactly. OWASP A01 is broken access control and it applies to contracts too. the tooling is different but the failure mode is identical
OWASP A01 literally warns about this and smart contract devs still skip it. 30 years of web security knowledge and we keep repeating the same mistakes on new infrastructure