Advanced Smart Contract Access Control Audit: Identifying Authority Check Vulnerabilities in Move and Solidity

The $3.44 million Typus Finance exploit on October 16, 2025, traced back to a single root cause: missing authority checks in an oracle module. This class of vulnerability, where critical functions lack proper access control, is one of the most preventable yet consistently devastating security flaws in smart contract development. This advanced tutorial walks through how to systematically identify and remediate authority check vulnerabilities across both Move and Solidity codebases, equipping developers and security researchers with practical techniques for preventing similar incidents.

The Objective

This tutorial teaches you to perform a focused access control audit on smart contract codebases. By the end, you will be able to systematically identify every function that modifies state, oracle data, or fund transfers and verify that each one enforces appropriate authority checks. The Typus Finance oracle module lacked authority checks on its price update function, allowing any external caller to manipulate prices. This is exactly the type of vulnerability this methodology is designed to catch.

Prerequisites

You should have intermediate experience with smart contract development in either Move (for Sui/Aptos) or Solidity (for Ethereum and EVM chains). Familiarity with basic security concepts like access control, the principle of least privilege, and common attack patterns is assumed. You will need access to the target protocol’s source code or verified bytecode, and ideally the audit reports that have already been conducted.

Tools you will need include a code editor with syntax highlighting for your target language, Slither for Solidity analysis or the Move Prover for Move contracts, and a spreadsheet or documentation tool for tracking findings. Access to a testnet environment for reproducing findings is recommended but not required.

Step-by-Step Walkthrough

Phase one: function inventory. Begin by cataloging every public and external function in the codebase. For each function, document what state it modifies, whether it transfers funds, and whether it updates oracle or price data. The Typus vulnerability was in a function that updated oracle prices without checking whether the caller was authorized. This inventory becomes your audit checklist.

Phase two: authority mapping. For each function identified in phase one, trace the authorization logic. In Solidity, look for modifier declarations like onlyOwner, onlyRole, or custom access control checks. In Move, look for capability-based access patterns and verify that the required capabilities are properly restricted. Pay special attention to functions that lack any authorization modifier, as these are immediate candidates for exploitation.

Phase three: scope verification. Compare your function inventory against the scope of the most recent audit report. The Typus Finance oracle module was deployed in November 2024 but excluded from the May 2025 audit by MoveBit. Any function not covered by an audit represents unverified risk. Document every out-of-scope function and prioritize these for manual review.

Phase four: exploit scenario development. For each function with missing or weak access control, develop a concrete exploit scenario. Ask: what could an unauthorized caller achieve by invoking this function? Can they manipulate prices, transfer funds, or modify critical state? The Typus attacker exploited the oracle update function to feed false prices into the TLP contract, draining approximately 588,358 SUI, 1.6 million USDC, and other tokens. Your scenario analysis should quantify potential losses based on current TVL.

Phase five: remediation and verification. For each finding, propose a specific fix. In Move, this typically involves adding capability-restricted entry points. In Solidity, this means applying appropriate OpenZeppelin AccessControl roles. After implementing fixes, re-run your function inventory to verify that no new authorization gaps have been introduced. Submit remediated code for independent review.

Troubleshooting

One common challenge is identifying indirect authority bypasses. Sometimes a function appears to have access control, but the check can be circumvented through another function in the same contract or a related module. Trace the full call chain for each privileged operation to ensure authorization cannot be bypassed through alternative code paths.

Another frequent issue is upgradeable contracts where the proxy pattern may introduce new authorization vectors. Verify that upgrade mechanisms themselves are properly access-controlled and that the implementation contract cannot be replaced with a malicious version by an unauthorized party. This is particularly important for protocols using the diamond proxy pattern.

Automated tools may miss context-dependent vulnerabilities. Slither and the Move Prover are excellent for catching common patterns, but they cannot fully evaluate whether the business logic of authorization is correct. A function might check that the caller has a valid role, but if that role is granted too broadly, the check provides false security. Always combine automated analysis with manual business logic review.

Mastering the Skill

To build lasting expertise in access control auditing, practice on real-world exploits. Review the postmortems from the Typus Finance, Cetus Protocol, and Nemo Protocol exploits on Sui, and try to identify the vulnerabilities from the code before reading the explanation. Participate in Code4rena and Sherlock audit competitions to test your skills against real protocols and earn bounties for findings. Contribute to open-source security tools by submitting improvements to detection rules for access control patterns. The Typus exploit cost $3.44 million, but the lesson it teaches is invaluable for anyone serious about smart contract security.

Disclaimer: This article is for educational purposes only. Security auditing does not guarantee the absence of vulnerabilities. Always engage professional security firms for comprehensive audits before deploying smart contracts.