Glossary

Access Control

Restricting which addresses or roles can call privileged functions in a smart contract.

Access control is the discipline of ensuring that only authorized addresses can invoke privileged functions in a smart contract, withdrawing funds, minting tokens, pausing the protocol, upgrading logic.

Broken access control is one of the highest-impact and most preventable vulnerability classes. The classic patterns:

Missing modifier: the function should require onlyOwner and doesn't.
Wrong modifier: onlyAdmin exists but is checked against the wrong role.
Initializable not initialized: a proxy's initializer can be called by anyone if the deployer forgets.
tx.origin instead of msg.sender: lets a contract phish through a victim user.
Public when it should be internal: utility functions exposed by accident.

Access control should be exhaustive: every state-changing function has a deliberate authorization decision documented in the audit, and every privileged role has a documented holder (which itself should usually be a multi-sig, not an EOA).

Related terms.

Services

How we work on this.

Smart Contract Audit
DeFi smart contract audit by senior auditors. Adversarial review of Solidity, Vyper, and Cairo before mainnet.

Access Control

Related terms.

How we work on this.

Smart Contract Audit

Where this comes up.

From the blog.

Smart Contract Audit Cost: A 2026 Pricing Guide

Rug Pull Detection: A Guide to On-Chain Red Flags

Smart Contract Audit Checklist for DeFi Protocols

Need this fixed for real? Talk to us.