The biggest smart contract security failures of early 2026 haven't been classic reentrancy bugs or integer overflows — they've been access control misconfigurations. Authorization abuse, compromised privileged access, and missing role checks have collectively cost protocols hundreds of millions. Yet most audit toolchains still focus primarily on the "classic" vulnerability classes.
In this hands-on guide, we'll build four custom Slither detectors specifically designed to catch the access control patterns that have led to real DeFi exploits. These aren't toy examples — they're production-ready detectors you can drop into your CI pipeline today.
Why Access Control Deserves Its Own Tooling
According to BlockSec's February 2026 security roundup, authorization-related losses accounted for over 60% of total DeFi losses that month. The OWASP Smart Contract Top 10 for 2026 lists "Access Control Vulnerabilities" as the #1 risk category.
The problem isn't that developers don't know about onlyOwner. It's that modern DeFi protocols have complex role hierarchies, multi-contract privilege chains, and upgradeable proxy patterns where access control gaps hide in the interactions between contracts rather than within individual functions.
Built-in static analyzers catch the obvious cases. The subtle ones need custom detection logic.
Setting Up Your Custom Detector Environment
First, ensure Slither is installed with development dependencies:
pip3 install slither-analyzer solc-select
solc-select install 0.8.24
solc-select use 0.8.24
Create a detector directory structure:
defi-detectors/
├── __init__.py
├── unprotected_state_mutation.py
├── missing_timelock_check.py
├── proxy_auth_gap.py
└── role_escalation_path.py
Detector 1: Unprotected State-Mutating Functions
This detector goes beyond Slither's built-in checks by analyzing the call graph to find functions that modify critical state variables (owner, admin addresses, pause states, fee parameters) without access control — even through internal call chains.
from slither.detectors.abstract_detector import (
AbstractDetector,
DetectorClassification,
)
from slither.core.declarations import Function
# State variable names that indicate privileged state
CRITICAL_STATE_KEYWORDS = [
"owner", "admin", "operator", "guardian", "keeper",
"paused", "frozen", "fee", "rate", "threshold",
"oracle", "router", "treasury", "vault",
"implementation", "beacon", "proxy",
]
ACCESS_CONTROL_MODIFIERS = [
"onlyowner", "onlyadmin", "onlyrole", "onlygovernance",
"onlyguardian", "onlyoperator", "whennotpaused",
"onlyproxy", "onlydelegatedcall", "authorized",
"requiresauth", "auth",
]
class UnprotectedCriticalState(AbstractDetector):
ARGUMENT = "unprotected-critical-state"
HELP = "Critical state variables modified without access control"
IMPACT = DetectorClassification.HIGH
CONFIDENCE = DetectorClassification.MEDIUM
WIKI = "https://github.com/example/defi-detectors"
WIKI_TITLE = "Unprotected Critical State Mutation"
WIKI_DESCRIPTION = (
"Detects public/external functions that modify critical "
"state variables without access control modifiers."
)
WIKI_RECOMMENDATION = (
"Add appropriate access control (onlyOwner, role-based, "
"or timelock) to functions that modify sensitive parameters."
)
def _has_access_control(self, function: Function) -> bool:
"""Check if function or its modifiers enforce access control."""
for modifier in function.modifiers:
if any(
kw in modifier.name.lower()
for kw in ACCESS_CONTROL_MODIFIERS
):
return True
# Check for require(msg.sender == ...) patterns in the function
for node in function.nodes:
for ir in node.irs:
ir_str = str(ir)
if "msg.sender" in ir_str and (
"require" in str(node.expression).lower()
or "if" in str(node.expression).lower()
):
return True
return False
def _writes_critical_state(self, function: Function) -> list:
"""Return list of critical state variables written by function."""
critical_writes = []
for var in function.state_variables_written:
if any(kw in var.name.lower() for kw in CRITICAL_STATE_KEYWORDS):
critical_writes.append(var)
return critical_writes
def _detect(self):
results = []
for contract in self.slither.contracts_derived:
for function in contract.functions:
if function.visibility not in ["public", "external"]:
continue
if function.is_constructor or function.is_fallback:
continue
critical_vars = self._writes_critical_state(function)
if critical_vars and not self._has_access_control(function):
for var in critical_vars:
info = [
function,
" modifies critical state variable `",
var.name,
"` without access control\n",
]
res = self.generate_result(info)
results.append(res)
return results
What this catches that built-in detectors miss: Functions that write to variables with names like feeRate, oracleAddress, or treasuryVault but don't have any modifier or msg.sender check. The keyword-based approach catches protocol-specific naming patterns.
Detector 2: Missing Timelock on Privileged Operations
One of the most impactful access control patterns in DeFi is the timelock — requiring a delay between proposing and executing sensitive changes. Many protocols implement onlyOwner but skip the timelock, making rug-pulls instantaneous.
from slither.detectors.abstract_detector import (
AbstractDetector,
DetectorClassification,
)
TIMELOCK_MODIFIERS = [
"timelock", "timelocked", "delayed", "afterdelay",
"onlytimelock", "viapropogation",
]
PRIVILEGED_OPERATIONS = [
"setfee", "updatefee", "changefee",
"setoracle", "updateoracle", "changeoracle",
"transferownership", "renounceownership",
"upgrade", "upgradeto", "upgradetoandcall",
"setimplementation", "changeimplementation",
"pause", "unpause", "freeze", "unfreeze",
"setadmin", "changeadmin", "grantRole",
"mint", "setminter", "addminter",
"settreasury", "settreasuryaddress",
"setemergency", "setguardian",
"withdraw", "emergencywithdraw",
"setrewardrate", "setinterestrate",
]
class MissingTimelockOnPrivileged(AbstractDetector):
ARGUMENT = "missing-timelock"
HELP = "Privileged operations without timelock protection"
IMPACT = DetectorClassification.HIGH
CONFIDENCE = DetectorClassification.MEDIUM
WIKI = "https://github.com/example/defi-detectors"
WIKI_TITLE = "Missing Timelock on Privileged Operations"
WIKI_DESCRIPTION = (
"Detects privileged functions that modify protocol "
"parameters without a timelock delay."
)
WIKI_RECOMMENDATION = (
"Implement a timelock controller (e.g., OpenZeppelin "
"TimelockController) for all privileged parameter changes."
)
def _is_privileged_op(self, function_name: str) -> bool:
name_lower = function_name.lower()
return any(op in name_lower for op in PRIVILEGED_OPERATIONS)
def _has_timelock(self, function) -> bool:
for modifier in function.modifiers:
if any(
kw in modifier.name.lower() for kw in TIMELOCK_MODIFIERS
):
return True
# Check if function calls a timelock contract
for call in function.external_calls_as_expressions:
call_str = str(call).lower()
if "timelock" in call_str or "delay" in call_str:
return True
return False
def _detect(self):
results = []
for contract in self.slither.contracts_derived:
for function in contract.functions:
if function.visibility not in ["public", "external"]:
continue
if not self._is_privileged_op(function.name):
continue
if not self._has_timelock(function):
info = [
function,
" performs a privileged operation without "
"timelock protection\n",
]
res = self.generate_result(info)
results.append(res)
return results
Detector 3: Proxy Authorization Gaps
This detector catches a pattern responsible for multiple nine-figure exploits: upgradeable proxy contracts where _authorizeUpgrade() or equivalent functions are left unprotected.
from slither.detectors.abstract_detector import (
AbstractDetector,
DetectorClassification,
)
class ProxyAuthorizationGap(AbstractDetector):
ARGUMENT = "proxy-auth-gap"
HELP = "Upgradeable proxy missing authorization on upgrade functions"
IMPACT = DetectorClassification.HIGH
CONFIDENCE = DetectorClassification.HIGH
WIKI = "https://github.com/example/defi-detectors"
WIKI_TITLE = "Proxy Authorization Gap"
WIKI_DESCRIPTION = (
"Detects UUPS/TransparentProxy patterns where "
"upgrade authorization is missing or weak."
)
WIKI_RECOMMENDATION = (
"Ensure _authorizeUpgrade() has onlyOwner or "
"equivalent access control, and implementation "
"contracts call _disableInitializers() in constructor."
)
UPGRADE_FUNCTIONS = [
"_authorizeupgrade",
"upgradeto",
"upgradetoandcall",
"upgradeandcall",
]
INITIALIZER_KEYWORDS = [
"initialize", "init", "__init",
]
def _detect(self):
results = []
for contract in self.slither.contracts_derived:
is_upgradeable = any(
"upgradeable" in parent.name.lower()
or "uups" in parent.name.lower()
or "proxy" in parent.name.lower()
for parent in contract.inheritance
)
if not is_upgradeable:
continue
for function in contract.functions:
fname = function.name.lower()
# Check 1: _authorizeUpgrade without access control
if fname == "_authorizeupgrade":
has_modifier = bool(function.modifiers)
has_require = any(
"require" in str(node.expression).lower()
or "revert" in str(node.expression).lower()
for node in function.nodes
if node.expression
)
if not has_modifier and not has_require:
info = [
function,
" has no access control — anyone can "
"upgrade the implementation\n",
]
results.append(self.generate_result(info))
# Check 2: Initializer without initializer modifier
if any(kw in fname for kw in self.INITIALIZER_KEYWORDS):
has_initializer_mod = any(
"initializer" in m.name.lower()
for m in function.modifiers
)
if (
function.visibility in ["public", "external"]
and not has_initializer_mod
):
info = [
function,
" is an initializer without the "
"`initializer` modifier — "
"can be re-initialized\n",
]
results.append(self.generate_result(info))
return results
Detector 4: Role Escalation Paths
The most sophisticated detector: it traces whether any function can grant roles or permissions without requiring a higher-privilege role. This catches circular permission dependencies and self-granting patterns.
from slither.detectors.abstract_detector import (
AbstractDetector,
DetectorClassification,
)
ROLE_GRANTING_FUNCTIONS = [
"grantrole", "revokerole", "setrolemember",
"addminter", "addoperator", "addguardian",
"setadmin", "transferownership",
]
class RoleEscalationPath(AbstractDetector):
ARGUMENT = "role-escalation"
HELP = "Potential role escalation through weak permission chains"
IMPACT = DetectorClassification.HIGH
CONFIDENCE = DetectorClassification.LOW
WIKI = "https://github.com/example/defi-detectors"
WIKI_TITLE = "Role Escalation Path"
WIKI_DESCRIPTION = (
"Detects functions that can grant elevated privileges "
"without requiring appropriately elevated caller permissions."
)
WIKI_RECOMMENDATION = (
"Ensure role-granting functions require admin-level "
"permissions and implement proper role hierarchies."
)
def _detect(self):
results = []
for contract in self.slither.contracts_derived:
for function in contract.functions:
fname = function.name.lower()
if not any(
rg in fname for rg in ROLE_GRANTING_FUNCTIONS
):
continue
if function.visibility not in ["public", "external"]:
continue
# Check: does this function have any access control?
has_access = bool(function.modifiers)
has_sender_check = False
for node in function.nodes:
if node.expression and "msg.sender" in str(
node.expression
):
has_sender_check = True
break
if not has_access and not has_sender_check:
info = [
function,
" can grant elevated privileges without "
"requiring any caller authorization\n",
]
results.append(self.generate_result(info))
# Check for self-granting: can the granted role
# call this same function?
if has_access:
for modifier in function.modifiers:
mod_name = modifier.name.lower()
# If the required role is the same as
# what's being granted
for rg in ROLE_GRANTING_FUNCTIONS:
if rg in fname and rg.replace(
"grant", ""
).replace("add", "").replace(
"set", ""
) in mod_name:
info = [
function,
" may allow circular role "
"escalation — the granted role "
"might be able to call this "
"function\n",
]
results.append(
self.generate_result(info)
)
return results
Integrating Into Your CI Pipeline
Create a slither.config.json to wire everything together:
{
"detectors_path": "./defi-detectors",
"detect": [
"unprotected-critical-state",
"missing-timelock",
"proxy-auth-gap",
"role-escalation"
],
"filter_paths": "node_modules|lib|test",
"exclude_informational": true,
"sarif": "slither-results.sarif"
}
GitHub Actions workflow:
name: DeFi Access Control Audit
on: [push, pull_request]
jobs:
slither-access-control:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Install Slither
run: pip3 install slither-analyzer
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
- name: Run Custom Access Control Detectors
run: |
slither . \
--config-file slither.config.json \
--sarif slither-results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: slither-results.sarif
Real-World Impact: What These Detectors Would Have Caught
Let's trace these detectors against real 2026 incidents:
YieldBloxDAO Oracle Manipulation (~$10M, Feb 2026)
Detector 1 (Unprotected Critical State) would have flagged the oracle update function that lacked proper access control, allowing the attacker to manipulate price feeds.
Uninitialized Proxy Exploits (Multiple, $200M+ cumulative)
Detector 3 (Proxy Authorization Gap) directly catches the pattern of unprotected _authorizeUpgrade() and missing initializer modifiers that enabled these attacks.
Step Finance OpSec Failure (Feb 2026)
Detector 2 (Missing Timelock) would have flagged that critical parameter changes could be executed immediately without a timelock delay, giving users no time to react to malicious changes.
Beyond Static Analysis: Combining With Runtime Monitoring
Static analysis catches code-level issues, but access control attacks often exploit operational gaps. Complement these detectors with:
- OpenZeppelin Defender Sentinels — Monitor on-chain transactions for unexpected role changes
- Forta Bots — Real-time detection of privileged function calls from unexpected addresses
- Tenderly Alerts — Track state variable changes that bypass expected patterns
// Example Forta bot for monitoring role changes
const handleTransaction = async (txEvent) => {
const roleGrantedEvents = txEvent.filterLog(
'event RoleGranted(bytes32 indexed role, address indexed account, address indexed sender)'
);
for (const event of roleGrantedEvents) {
if (!EXPECTED_ADMINS.includes(event.args.sender)) {
return Finding.fromObject({
name: "Unexpected Role Grant",
description: `Role ${event.args.role} granted by unexpected address ${event.args.sender}`,
alertId: "ACCESS-CONTROL-1",
severity: FindingSeverity.Critical,
type: FindingType.Suspicious,
});
}
}
};
Key Takeaways
- Access control > reentrancy in 2026's threat landscape. Adjust your tooling accordingly.
- Custom detectors are cheap insurance. Four Python files can catch patterns responsible for hundreds of millions in losses.
- Name-based heuristics work surprisingly well for access control detection because Solidity conventions are strong.
- Layer static + dynamic analysis. Slither catches code issues; runtime monitoring catches operational ones.
- Automate in CI. Every PR should run these checks automatically.
The code for all four detectors is available on GitHub. Star the repo if you find it useful, and feel free to contribute additional detector patterns.
This article is part of a series on DeFi security tooling. Previous articles covered Foundry invariant testing, Semgrep rules for Solana Anchor, and AI-powered smart contract auditing.
Top comments (0)