Rust Smart Contracts Development Diary (7) Contract Security - Access Control

This article will introduce the relevant content of permission control in Rust smart contracts from two perspectives:

1. Visibility of contract methods (functions) access/calls
2. Access control and responsibility division of privileged functions

1. Contract Function (Method) Visibility

When writing smart contracts, the visibility of the contract functions can be specified to control the permissions for calling those functions. This is crucial for protecting key parts of the contract from being accessed or manipulated accidentally.

Taking the Bancor Network exchange as an example, a security incident occurred on June 18, 2020, due to an incorrect access control setting for a key function in the contract. The contract was written in Solidity, and function visibility is divided into public/external and private/internal.

Bancor mistakenly set some key transfer functions to public attributes while fixing a security vulnerability, allowing anyone to call these functions from outside the contract for transfer operations, putting users' assets worth $590,000 at serious risk.

In Rust smart contracts, function visibility control is equally important. The contract functions marked with the #[near_bindgen] macro defined by the NEAR SDK have the following visibility attributes:

• pub fn: a public function that is part of the contract interface and can be called from outside the contract.
• fn: A function without a specified pub can only be called internally within the contract.
• pub(crate) fn: restricts calls to within the crate.

Another way to set the method as internal is to define it in the impl Contract code block that is not decorated with #[near_bindgen].

For callback functions, they must be set as public properties to be called via function call. At the same time, it is necessary to ensure that the callback functions can only be called by the contract itself, which can be implemented using the #[private] macro.

2. Access Control of Privileged Functions(Whitelist Mechanism)

In addition to function visibility, a complete access control whitelist mechanism needs to be established from a semantic level. Certain privileged functions (such as contract initialization, enabling/disabling, unified transfers, etc.) can only be called by the contract owner (owner).

You can implement custom traits to control access to privileged functions, checking whether the transaction caller is the contract owner:

rust pub trait Ownable { fn assert_owner(&self) { assert_eq!(env::predecessor_account_id(), self.get_owner()); } AccountId; fn set_owner(&mut self, owner: AccountId); }

Based on this principle, more complex traits can be customized to set multiple users or multiple whitelists in the whitelist, achieving fine-grained access control.

3. More Access Control Methods

Other access control methods in Rust smart contracts include:

• Control of the timing of smart contracts invocation
• The multi-signature calling mechanism of contract functions
• Governance(DAO) implementation

These contents will be detailed in the subsequent series of smart contracts cultivation diaries.