Blockchain Cryptography Ethereum Smart Contracts Solidity Web3

Access Restriction Patterns in Solidity

Solidity, the programming language for Ethereum smart contracts, offers immense power and flexibility. But with great power comes great responsibility – the responsibility to secure your code and prevent unauthorized access. This is where access restriction patterns come in.

Why Access Restriction Matters

Imagine a smart contract managing a community treasury. You wouldn’t want anyone to be able to withdraw funds freely, right? Access restriction patterns allow you to define who can call specific functions within your contract. This ensures only authorized users can perform critical actions, safeguarding your smart contract from unintended consequences or malicious attacks.

Popular Access Restriction Techniques in Solidity

Solidity provides various tools to implement access control. Here are some of the most common:

  • Ownable Pattern: This is a simple and widely used pattern where a single address, the owner, has control over specific functions. This pattern is suitable for contracts with a clear owner hierarchy, but may not be ideal for more complex scenarios.
  • Role-Based Access Control (RBAC): This pattern assigns different roles (e.g., admin, user) to addresses. Each role has specific permissions to call contract functions. RBAC offers more granular control compared to the Ownable pattern.
  • Whitelist: Here, you define a list of authorized addresses that can interact with the contract. This is a straightforward approach but requires manual maintenance as the whitelist grows.
  • Modifiers: These are reusable code blocks that can be applied to functions. You can create custom modifiers to check if the caller is authorized before allowing the function to proceed.
  • Multisig: This pattern requires multiple signatures from designated addresses to execute a specific action. This adds an extra layer of security for critical operations, making them less susceptible to single point of failure vulnerabilities.

1. Ownable Pattern:

contract Ownable {
  address public owner;

  constructor() {
    owner = msg.sender;

  modifier onlyOwner() {
    require(msg.sender == owner, "Only owner can call this function");
    _; // This represents the function body that requires ownership

  function someRestrictedFunction() public onlyOwner {
    // Function logic only accessible by the owner
  • This contract defines an owner state variable to store the address of the contract’s owner.
  • The constructor sets the owner to the address that deployed the contract (using msg.sender).
  • The onlyOwner modifier checks if the caller’s address (msg.sender) matches the owner address. If not, it throws a require exception, preventing the function execution.
  • The someRestrictedFunction is decorated with the onlyOwner modifier, ensuring only the owner can call it.

2. Role-Based Access Control (RBAC):


contract RBAC {
  mapping(string => mapping(address => bool)) public roles;

  constructor() public {
    _setupRole(keccak256("Admin"), msg.sender); // Grant admin role to deployer

  modifier onlyRole(string memory role) {
    require(hasRole(msg.sender, role), "Unauthorized access");

  function hasRole(address addr, string memory role) public view returns(bool) {
    return roles[role][addr];

  function grantRole(address addr, string memory role) public onlyRole("Admin") {
    roles[role][addr] = true;

  function revokeRole(address addr, string memory role) public onlyRole("Admin") {
    roles[role][addr] = false;
  • This contract uses a mapping called roles to track which addresses have specific roles (represented by strings).
  • The constructor assigns the “Admin” role to the deployer address.
  • The onlyRole modifier checks if the caller has the required role using the hasRole function.
  • The hasRole function retrieves the role status for a given address and role from the roles mapping.
  • The grantRole and revokeRole functions, accessible only to admins, allow adding and removing roles from addresses.

3. Whitelist:

contract Whitelist {
  mapping(address => bool) public whitelist;

  function addToWhitelist(address addr) public {
    whitelist[addr] = true;

  function removeFromWhitelist(address addr) public {
    whitelist[addr] = false;

  modifier onlyWhitelisted() {
    require(whitelist[msg.sender], "Not whitelisted");

  function someWhitelistedFunction() public onlyWhitelisted {
    // Function logic only accessible by whitelisted addresses
  • This contract uses a mapping called whitelist to keep track of authorized addresses.
  • The addToWhitelist and removeFromWhitelist functions allow managing the whitelist entries.
  • The onlyWhitelisted modifier restricts function access to addresses present in the whitelist.

4. Modifiers:

contract WithModifier {
  address public allowedAddress;

  modifier onlyAllowed() {
    require(msg.sender == allowedAddress, "Not allowed");

  function setAllowedAddress(address addr) public {
    allowedAddress = addr;

  function someRestrictedFunction() public onlyAllowed {
    // Function logic only accessible by the allowed address
  • This contract defines a simple modifier onlyAllowed that checks if the caller’s address matches the allowedAddress state variable.
  • The setAllowedAddress function allows specifying the address with access.
  • The someRestrictedFunction is decorated with the onlyAllowed modifier, granting access only to the pre-defined allowed address.

Choosing the Right Pattern

The best access restriction pattern for your smart contract depends on your specific needs. Consider factors like the complexity of your contract, the number of roles involved, and the desired level of security.

Beyond the Basics

Remember, access restriction is just one piece of the security puzzle. It’s crucial to thoroughly test your smart contract and conduct security audits to identify and address potential vulnerabilities.

Stay Secure, Build with Confidence

By implementing access restriction patterns effectively, you can ensure your Solidity smart contracts operate as intended, fostering trust and security within your decentralized application. So, leverage these patterns, and build robust, secure smart contracts that empower your blockchain endeavors!

Leave A Comment