Incorrect Access Control — Hard-Coded Owner Check
Incorrect Access Control — Hard-Coded Owner Check
Description
-
Normally, access control in Move modules should restrict certain functions so that only the resource owner (the caller’s address) can perform the action.
-
The code currently checks against a hard-coded address alias
@owner:
This is incorrect, because it enforces that only the deployment account (owner) can call the function, instead of the account that owns the resource.
Correct behavior should compare against the actual signer’s address:
Risk
Likelihood:
-
Reason 1: This bug will occur whenever a user (non-deployer) calls the function, since the assertion only allows the deployer (
@owner). -
Reason 2: In multi-user dApps, this breaks functionality immediately, as no one except the contract deployer can use restricted functions.
Impact:
-
Impact 1: All normal users are denied access to their own resources.
-
Impact 2: The deployer account (
@owner) gains exclusive control, which may cause loss of decentralization, lockout of user assets, or denial of service.
Proof of Concept
Recommended Mitigation
Lead Judging Commences
Lack of signer check in `get_secret`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.