EVM Attack Pattern April 10, 2025 13 min read

Access Control Bypass

How attackers exploit missing or improper access restrictions on critical functions — responsible for over $1.3 billion in DeFi losses including the largest hack in history.

evmcriticalaccess-controlauthorizationattack-patternred-team

Overview

Access control bypass is the single most expensive vulnerability class in smart contract security, responsible for over $1.3 billion in cumulative DeFi losses. It encompasses missing access modifiers, weak multisig thresholds, public initialization functions, and unprotected privileged function exposure. These vulnerabilities allow attackers to execute administrative actions — changing owners, minting tokens, upgrading logic, draining treasuries — that should be restricted to authorized parties.

What makes access control bypasses uniquely dangerous is their simplicity. Unlike complex DeFi exploits that chain flash loans, oracle manipulation, and price arbitrage, most access control attacks require nothing more than calling a function that should have been restricted. The attacker does not need to understand the protocol’s financial mechanics or construct elaborate multi-step transactions. They simply call setOwner(), initialize(), or mint() and take control.

The category spans a wide spectrum: from a single missing onlyOwner modifier on a setter function to sophisticated social engineering campaigns that compromise validator keys in multi-signature schemes. The common thread is that a privileged operation executes without verifying the caller’s authority.

Sigvex detects access control vulnerabilities through static bytecode analysis. See the Access Control Detector for detection methodology and the Remediation Guide for step-by-step fixes.

How This Attack Works

From a red team perspective, exploiting access control weaknesses follows a methodical reconnaissance and exploitation sequence.

1. Reconnaissance

The first phase is mapping the contract’s attack surface to identify privileged operations and their authorization mechanisms.

Enumerate all public and external functions in the contract. Every function without private or internal visibility is callable by any address on the network. Pay special attention to functions whose names suggest administrative operations: set*, update*, change*, add*, remove*, pause, unpause, upgrade*, mint, burn, transfer*Ownership.
Identify admin and privileged functions. Any function that modifies ownership, role assignments, fee structures, pausing state, proxy implementation addresses, or minting capabilities is a high-value target. Cross-reference these against the contract’s modifier list to verify that each one is actually protected.
Check for initialization functions. In proxy-based upgradeable contracts, constructor logic is moved into an initialize() function. If this function lacks an initialization guard (such as OpenZeppelin’s initializer modifier), it can be called by anyone at any time — potentially overwriting the owner and all configuration.
Analyze multisig configurations and threshold ratios. For contracts governed by multisig wallets, determine the total number of signers and the required threshold. A threshold of 50%+1 (e.g., 5 of 9) makes key compromise feasible through targeted social engineering. Calculate how many keys an attacker would need to compromise and assess whether that is realistic given the signer set.
Inspect role hierarchies. In role-based access control (RBAC) systems, determine which roles can grant other roles. A role that can assign DEFAULT_ADMIN_ROLE to arbitrary addresses effectively controls the entire system.

2. Common Attack Vectors

Missing Access Modifiers

The most straightforward vector. A function that modifies critical state — such as changing a keeper address, setting a fee recipient, or updating a price oracle — lacks any caller verification. The developer simply forgot the onlyOwner modifier, or the function was added in a later update without the same rigor applied to the original deployment.

// VULNERABLE: No access control on critical function
function setKeeper(address newKeeper) public {
    // Missing: require(msg.sender == owner, "Unauthorized");
    keeper = newKeeper;
}

An attacker calls setKeeper() with their own address, then uses the keeper role to execute privileged operations such as signing cross-chain messages, triggering liquidations, or moving protocol funds.

Public Initialization

Proxy patterns separate deployment from initialization. The proxy contract is deployed with minimal logic, and the implementation contract’s initialize() function sets up ownership, configuration, and initial state. If the implementation contract’s initialize() function is left unguarded, anyone can call it — either on the implementation directly (which can have unexpected side effects with delegatecall) or on an uninitialized proxy.

// VULNERABLE: Public initializer without guard
function initWallet(address[] memory _owners, uint _required) public {
    // Missing: require(!initialized, "Already initialized");
    m_numOwners = _owners.length;
    m_owners[1] = uint(msg.sender); // Attacker becomes owner
}

The attacker calls initWallet() on an already-deployed contract, overwriting the legitimate owner list with their own address. They then call execute() to drain all funds.

Weak Multisig Thresholds

Multi-signature wallets and validator sets that require only a simple majority (50%+1) to authorize transactions are vulnerable to targeted key compromise. If an attacker can obtain just over half the required keys — through phishing, malware, insider threats, or supply chain attacks — they can forge any transaction the multisig controls.

The risk compounds when multiple keys are held by the same organization, stored in the same infrastructure, or controlled by individuals susceptible to the same social engineering vector.

Privilege Escalation

Some contracts contain functions that allow changing the owner or admin role without adequate authorization. This includes functions where tx.origin is used instead of msg.sender for authorization (enabling phishing attacks through intermediary contracts), functions where the authorization check references a mutable state variable that the attacker can manipulate, and self-referential governance where a proposal to change the admin can be submitted and approved by the admin being changed.

Historical Exploits

Ronin Bridge ($625M, March 2022)

Detail	Value
Contract	`0x173e552bf97bbd5b041cafd830dc2be810645552`
Loss	~$625M (173,600 ETH + 25.5M USDC)
Root cause	Only 5 of 9 validator keys required (55.6% threshold)
Attribution	Lazarus Group (North Korea)

The Ronin Bridge, which facilitated asset transfers between Ethereum and the Ronin sidechain powering Axie Infinity, used a 5-of-9 multisig validator scheme to authorize withdrawals. This meant an attacker needed to compromise just five keys to forge arbitrary withdrawal messages.

The attack began with a spear phishing campaign targeting Sky Mavis employees. The attackers compromised four Sky Mavis validator keys through this campaign. The fifth key came from the Axie DAO, which had granted Sky Mavis temporary authorization to sign transactions on its behalf during a period of high network load in November 2021. That authorization was never revoked.

With five validator signatures in hand, the attackers forged two withdrawal transactions: one for 173,600 ETH and another for 25.5 million USDC. The total loss was approximately $625 million, making it the largest DeFi hack in history at the time.

The attack went undetected for six days. It was only discovered when a user reported being unable to withdraw 5,000 ETH from the bridge. Sky Mavis subsequently compensated affected users and increased the validator threshold, but the incident remains the definitive example of why weak multisig thresholds on bridge contracts are catastrophic.

Poly Network ($611M, August 2021)

Detail	Value
Contract	`0xaeeb8ff27288bdabc0fa5ebb731b6f409507516c`
Loss	~$611M across Ethereum, BSC, and Polygon
Root cause	`putCurEpochConPubKeyBytes()` was public with no access control
Outcome	All funds returned (attacker claimed whitehat motivation)

The Poly Network cross-chain bridge relied on a set of “keeper” addresses to sign and authorize cross-chain messages. The function putCurEpochConPubKeyBytes(), which replaced the active keeper set, was public and callable by any address with no authorization check whatsoever.

The attack sequence was devastatingly simple:

The attacker called the unprotected putCurEpochConPubKeyBytes() function, replacing the legitimate keeper public keys with their own.
With control of the keeper role, the attacker signed cross-chain messages authorizing withdrawals from Poly Network’s vaults on Ethereum, Binance Smart Chain, and Polygon.
The bridge contracts verified the signatures against the (now attacker-controlled) keeper keys and released approximately $611 million in assets.

The attacker later claimed to have carried out the exploit to expose the vulnerability before a malicious actor could find it, and returned all funds over the following two weeks. Regardless of intent, the exploit demonstrated that a single missing access modifier on a keeper-management function can compromise an entire cross-chain protocol.

Parity Wallet Multisig ($30M, July 2017)

Detail	Value
Contract	`0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4`
Loss	~$30M
Root cause	`initWallet()` was public and lacked an initialization guard
Affected parties	Edgeless, Swarm City, Aeternity, and others

The Parity multisig wallet contract used a library pattern where the wallet logic resided in a shared library contract, and individual wallet instances delegated calls to it. The initWallet() function, which set the wallet’s owner list and required signature threshold, was public and contained no check for whether the wallet had already been initialized.

The attacker systematically called initWallet() on deployed Parity multisig wallets, passing their own address as the sole owner with a threshold of 1. This overwrote the legitimate owner configuration, granting the attacker unilateral control. They then called execute() to transfer all funds out of each compromised wallet.

This was the first of two Parity wallet incidents (the second, in November 2017, resulted in $280M being permanently frozen). Together, they established public initialization as a critical vulnerability class and directly motivated the development of OpenZeppelin’s Initializable pattern.

Uranium Finance ($50M, April 2021)

Detail	Value
Network	Binance Smart Chain
Loss	~$50M
Root cause	Incorrect balance calculation during v2 migration with missing access controls

Uranium Finance, a Uniswap V2 fork on BSC, introduced a critical vulnerability during its migration to v2. The migration process involved balance calculations that lacked proper access controls, allowing an attacker to exploit the incorrect arithmetic in conjunction with unprotected migration functions to drain approximately $50 million from the protocol’s liquidity pools.

Detection Patterns

At the bytecode level, access control vulnerabilities exhibit identifiable patterns that static analysis can flag:

Missing onlyOwner or onlyAdmin modifiers on state-changing functions. Any function that executes SSTORE (modifying contract storage) without first performing a CALLER-based comparison against a stored admin address is a potential vulnerability. The absence of this pattern in functions that modify ownership, roles, fees, or implementation addresses is a strong signal.
Public functions that should be private or internal. Functions whose names or behavior suggest internal use (helper functions, configuration setters, migration logic) but are compiled with public or external visibility. At the bytecode level, these are reachable through the function dispatcher.
Missing initialization guards. In upgradeable contracts, the initialize() function should contain a storage-based flag check that prevents re-initialization. The absence of an SLOAD followed by a conditional revert at the beginning of an initializer function indicates a missing guard.
Weak multisig thresholds. Contracts that store a signer count and a threshold where the threshold is less than 67% of the signer count. While this requires understanding the contract’s storage layout, the pattern of comparing a threshold variable against a signer count variable is detectable.
Public initialization functions without initializer protection. Proxy implementation contracts where the initialization function can be called more than once, identified by the absence of a boolean or counter-based guard in the function’s entry logic.
Missing role-based access control (RBAC). Contracts that implement role-like storage patterns (mappings from addresses to booleans or role identifiers) but fail to check these mappings before executing privileged operations.

Mitigation Strategies

1. OpenZeppelin Access Control

For contracts requiring multiple roles with distinct permissions, OpenZeppelin’s AccessControl provides a battle-tested RBAC framework. Each role is a bytes32 identifier, and the framework handles role assignment, revocation, and checking.

import "@openzeppelin/contracts/access/AccessControl.sol";

contract SecureProtocol is AccessControl {
    bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE");
    bytes32 public constant KEEPER_ROLE = keccak256("KEEPER_ROLE");

    constructor() {
        _grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
        _grantRole(ADMIN_ROLE, msg.sender);
    }

    function setKeeper(address newKeeper) external onlyRole(ADMIN_ROLE) {
        _grantRole(KEEPER_ROLE, newKeeper);
    }

    function executePrivileged() external onlyRole(KEEPER_ROLE) {
        // Protected function
    }
}

Every function that modifies state or executes privileged logic must have an explicit role check. The DEFAULT_ADMIN_ROLE can grant and revoke other roles, so it must be held by the most trusted address (typically a multisig or governance contract, not an EOA).

2. Safe Initialization Pattern

For upgradeable contracts using proxy patterns, OpenZeppelin’s Initializable base contract provides an initializer modifier that guarantees the initialization function can only be called once. This replaces the constructor, which does not execute in the context of a proxy.

import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

contract SecureProxy is Initializable {
    address public owner;

    function initialize(address _owner) external initializer {
        require(_owner != address(0), "Zero address");
        owner = _owner;
    }
}

The initializer modifier uses a storage-based flag to track whether initialization has occurred. After the first call, any subsequent call reverts. This must be applied to every function that sets up initial contract state in an upgradeable contract. Additionally, the implementation contract itself should call _disableInitializers() in its constructor to prevent direct initialization of the implementation (as opposed to the proxy).

3. Timelock for Admin Actions

Critical administrative operations should not execute immediately. A timelock introduces a mandatory delay between proposing an action and executing it, giving users and monitoring systems time to detect and respond to malicious or unauthorized changes.

uint256 public constant TIMELOCK_DELAY = 2 days;
mapping(bytes32 => uint256) public pendingActions;

function proposeAction(bytes32 actionHash) external onlyOwner {
    pendingActions[actionHash] = block.timestamp + TIMELOCK_DELAY;
    emit ActionProposed(actionHash, block.timestamp + TIMELOCK_DELAY);
}

function executeAction(bytes32 actionHash) external onlyOwner {
    require(pendingActions[actionHash] != 0, "Not proposed");
    require(block.timestamp >= pendingActions[actionHash], "Timelock active");
    delete pendingActions[actionHash];
    // Execute the action
}

Timelocks are particularly valuable for operations such as changing the proxy implementation (upgrades), modifying fee structures, updating oracle addresses, and transferring ownership. The delay period should be calibrated to the severity of the action: 24-48 hours for standard operations, up to 7 days for critical changes like implementation upgrades.

4. Strong Multisig Thresholds

For contracts governed by multi-signature wallets or validator sets, the signature threshold must be high enough to make key compromise infeasible through targeted attacks.

Industry recommendation:
- Critical operations: 75% threshold (e.g., 6 of 8)
- Standard operations: 67% threshold (e.g., 3 of 4)
- NEVER: 50%+1 (e.g., 5 of 9 like Ronin)
- Use hardware security modules (HSMs) for validator keys
- Geographically distribute key holders
- Ensure no single organization controls a majority of keys
- Rotate keys periodically and revoke stale authorizations
- Implement monitoring and alerting for unusual signing patterns

The Ronin Bridge hack demonstrated that a 55.6% threshold (5 of 9) is insufficient when multiple keys are held by the same organization or share operational dependencies. A 75% threshold (7 of 9) would have required the attacker to compromise two additional independent validators, substantially increasing the difficulty and cost of the attack.