访问控制是智能合约安全的核心组成部分,确保只有授权用户才能执行特定操作。Solidity 提供了多种实现访问控制的方式。
1. 基础访问控制:Only Owner 模式
最简单的访问控制模式,只允许合约部署者执行敏感操作。
contract Ownable { address public owner; event OwnershipTransferred(address indexed previousOwner, address indexed newOwner); constructor() { owner = msg.sender; emit OwnershipTransferred(address(0), msg.sender); } modifier onlyOwner() { require(msg.sender == owner, "Not the owner"); _; } function transferOwnership(address newOwner) public onlyOwner { require(newOwner != address(0), "Invalid address"); emit OwnershipTransferred(owner, newOwner); owner = newOwner; } // 只有 owner 可以调用的函数 function withdraw() public onlyOwner { payable(owner).transfer(address(this).balance); } }
2. OpenZeppelin AccessControl:角色基础访问控制
更灵活、更安全的访问控制方案,支持多角色管理。
import "@openzeppelin/contracts/access/AccessControl.sol"; contract RoleBasedAccess is AccessControl { // 定义角色 bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE"); bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE"); bytes32 public constant PAUSER_ROLE = keccak256("PAUSER_ROLE"); constructor() { // 部署者获得默认 admin 角色 _grantRole(DEFAULT_ADMIN_ROLE, msg.sender); _grantRole(ADMIN_ROLE, msg.sender); _grantRole(MINTER_ROLE, msg.sender); } // 只有 MINTER_ROLE 可以铸造 function mint(address to, uint256 amount) public onlyRole(MINTER_ROLE) { // 铸造逻辑 } // 只有 PAUSER_ROLE 可以暂停 function pause() public onlyRole(PAUSER_ROLE) { // 暂停逻辑 } // 只有 ADMIN_ROLE 可以设置参数 function setParameter(uint256 param) public onlyRole(ADMIN_ROLE) { // 设置参数逻辑 } }
3. 多签访问控制
对于高价值合约,使用多签钱包进行访问控制更安全。
contract MultiSigControl { address[] public owners; mapping(address => bool) public isOwner; uint256 public requiredConfirmations; struct Transaction { address to; uint256 value; bytes data; bool executed; uint256 confirmations; } Transaction[] public transactions; mapping(uint256 => mapping(address => bool)) public confirmed; modifier onlyOwner() { require(isOwner[msg.sender], "Not an owner"); _; } constructor(address[] memory _owners, uint256 _required) { require(_owners.length > 0, "Owners required"); require(_required > 0 && _required <= _owners.length, "Invalid required"); for (uint i = 0; i < _owners.length; i++) { address owner = _owners[i]; require(owner != address(0), "Invalid owner"); require(!isOwner[owner], "Owner not unique"); isOwner[owner] = true; owners.push(owner); } requiredConfirmations = _required; } function submitTransaction(address _to, uint256 _value, bytes memory _data) public onlyOwner returns (uint256) { uint256 txId = transactions.length; transactions.push(Transaction({ to: _to, value: _value, data: _data, executed: false, confirmations: 0 })); return txId; } function confirmTransaction(uint256 _txId) public onlyOwner { require(_txId < transactions.length, "Invalid tx"); require(!confirmed[_txId][msg.sender], "Already confirmed"); confirmed[_txId][msg.sender] = true; transactions[_txId].confirmations++; if (transactions[_txId].confirmations >= requiredConfirmations) { executeTransaction(_txId); } } function executeTransaction(uint256 _txId) internal { Transaction storage transaction = transactions[_txId]; require(!transaction.executed, "Already executed"); transaction.executed = true; (bool success, ) = transaction.to.call{value: transaction.value}(transaction.data); require(success, "Transaction failed"); } }
4. 时间锁访问控制
为敏感操作添加时间延迟,给用户反应时间。
contract TimelockControl { uint256 public constant DELAY = 2 days; struct PendingAction { bytes32 actionHash; uint256 executeTime; bool executed; } mapping(bytes32 => PendingAction) public pendingActions; event ActionScheduled(bytes32 indexed actionHash, uint256 executeTime); event ActionExecuted(bytes32 indexed actionHash); function scheduleAction(bytes32 actionHash) public onlyOwner { require(pendingActions[actionHash].executeTime == 0, "Already scheduled"); uint256 executeTime = block.timestamp + DELAY; pendingActions[actionHash] = PendingAction({ actionHash: actionHash, executeTime: executeTime, executed: false }); emit ActionScheduled(actionHash, executeTime); } function executeAction(bytes32 actionHash) public { PendingAction storage action = pendingActions[actionHash]; require(action.executeTime > 0, "Not scheduled"); require(block.timestamp >= action.executeTime, "Too early"); require(!action.executed, "Already executed"); action.executed = true; // 执行具体操作 emit ActionExecuted(actionHash); } function cancelAction(bytes32 actionHash) public onlyOwner { require(!pendingActions[actionHash].executed, "Already executed"); delete pendingActions[actionHash]; } }
5. 基于代币的访问控制
使用代币持有量来控制访问权限,常用于 DAO 治理。
contract TokenBasedAccess { IERC20 public governanceToken; uint256 public minTokensRequired; constructor(address _token, uint256 _minTokens) { governanceToken = IERC20(_token); minTokensRequired = _minTokens; } modifier onlyTokenHolder() { require(governanceToken.balanceOf(msg.sender) >= minTokensRequired, "Insufficient tokens"); _; } function propose(bytes memory proposal) public onlyTokenHolder { // 提案逻辑 } function vote(uint256 proposalId, bool support) public onlyTokenHolder { // 投票逻辑 } }
6. 组合访问控制模式
实际项目中通常需要组合多种访问控制模式。
import "@openzeppelin/contracts/access/AccessControl.sol"; import "@openzeppelin/contracts/security/Pausable.sol"; contract ComprehensiveAccess is AccessControl, Pausable { bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE"); bytes32 public constant OPERATOR_ROLE = keccak256("OPERATOR_ROLE"); bytes32 public constant EMERGENCY_ROLE = keccak256("EMERGENCY_ROLE"); mapping(address => bool) public whitelist; bool public whitelistEnabled; constructor() { _grantRole(DEFAULT_ADMIN_ROLE, msg.sender); _grantRole(ADMIN_ROLE, msg.sender); _grantRole(OPERATOR_ROLE, msg.sender); _grantRole(EMERGENCY_ROLE, msg.sender); } // 白名单检查 modifier onlyWhitelisted() { require(!whitelistEnabled || whitelist[msg.sender], "Not whitelisted"); _; } // 管理员功能:管理白名单 function addToWhitelist(address user) public onlyRole(ADMIN_ROLE) { whitelist[user] = true; } function removeFromWhitelist(address user) public onlyRole(ADMIN_ROLE) { whitelist[user] = false; } function toggleWhitelist(bool enabled) public onlyRole(ADMIN_ROLE) { whitelistEnabled = enabled; } // 操作员功能:日常操作 function processTransaction(address user, uint256 amount) public onlyRole(OPERATOR_ROLE) onlyWhitelisted whenNotPaused { // 处理交易逻辑 } // 紧急功能:暂停合约 function emergencyPause() public onlyRole(EMERGENCY_ROLE) { _pause(); } function emergencyUnpause() public onlyRole(ADMIN_ROLE) { _unpause(); } // 升级功能:只有 admin function upgrade(address newImplementation) public onlyRole(ADMIN_ROLE) { // 升级逻辑 } }
最佳实践总结
| 场景 | 推荐方案 | 说明 |
|---|---|---|
| 简单合约 | Ownable | 单所有者模式,简单有效 |
| 复杂合约 | AccessControl | 多角色管理,灵活安全 |
| 高价值合约 | 多签 + 时间锁 | 分散风险,增加安全缓冲 |
| DAO 治理 | 代币基础 | 去中心化治理 |
| 生产环境 | 组合模式 | 多种机制结合 |
安全注意事项
- 永远不要使用 tx.origin 进行权限检查:
// 危险! modifier onlyOwner() { require(tx.origin == owner, "Not owner"); // 错误! _; } // 正确 modifier onlyOwner() { require(msg.sender == owner, "Not owner"); _; }
- 权限转移要验证地址:
function transferOwnership(address newOwner) public onlyOwner { require(newOwner != address(0), "Invalid address"); // 必须验证 owner = newOwner; }
- 考虑使用 OpenZeppelin 库:经过审计的标准实现,减少安全风险。
- 定期审计权限设置:检查是否有不必要的权限或权限过大的账户。
- 实施最小权限原则:只授予完成工作所需的最小权限。