# insufficient access control on sensitive functions allows any caller to execute privileged operations Missing access modifiers on state-changing functions — setters, minters, admin operations, and configuration updates — allow any external caller to execute operations that should be restricted. This is the most common manifestation of [[access control vulnerabilities are the leading cause of smart contract financial losses|the #1 vulnerability category]]. The failure is not complex: a function that should have `onlyOwner`, `onlyRole`, or similar access checks simply lacks them. Automated tools can detect missing modifiers on state-changing functions, but determining which functions SHOULD be restricted requires understanding the contract's business logic. Even when Solidity functions are properly protected, since [[writing contract logic in yul or assembly can bypass access control mechanisms only implemented in solidity]], inline assembly paths may circumvent modifiers entirely. --- Relevant Notes: - [[access control vulnerabilities are the leading cause of smart contract financial losses]] — the broader category - [[tx.origin authentication is vulnerable to phishing because any contract in the call chain can read it]] — a related but distinct access control failure - [[writing contract logic in yul or assembly can bypass access control mechanisms only implemented in solidity]] — assembly code bypasses Solidity-level access modifiers - [[uninitialized proxy contracts are vulnerable to re-initialization attacks that hijack ownership]] — missing initialization guards are a proxy-specific access control failure Topics: - [[vulnerability-patterns]]