Dimension 1: Access Control
Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.
What We Measure
We analyze the complete permission architecture of a protocol: who can call what, under which conditions, and with what authorization proof. This encompasses role-based access control patterns, reentrancy guards and callback safety, admin surface area and privilege escalation paths, authorization modifiers on state-changing functions, role separation between operational and emergency powers, cross-contract authorization delegation, and the attack surface exposed to untrusted callers. Access control is the single highest-weighted dimension because historical data shows it correlates most strongly with catastrophic exploits — unauthorized access to privileged functions accounts for the largest dollar losses in DeFi history.
What Raises This Score
Minimal admin surface with clearly bounded capabilities (e.g., fee-setting only, capped)
Transient storage locks or equivalent reentrancy elimination patterns
Permissionless core operations with no privileged fast-paths
Fine-grained role separation (separate roles for pause, upgrade, configuration)
Time-delayed execution on all admin actions
Callback safety patterns that prevent unauthorized re-entry
Formal verification of access control invariants
What Lowers This Score
Single entity controlling all privileged functions
Missing or inconsistent authorization modifiers on state-changing functions
Admin functions that can drain user funds or modify core logic
Reentrancy vulnerabilities in callback-heavy architectures
Cross-contract authorization that trusts intermediate contracts
Privileged functions callable without timelock or multisig
Upgradeable proxies with unrestricted upgradeToAndCall patterns
Why This Weight
At 18%, Access Control carries the highest weight because empirical analysis of 200+ DeFi exploits shows that unauthorized access to privileged functions — whether through missing auth checks, reentrancy, or privilege escalation — accounts for the single largest category of dollar losses. When access control fails, the entire protocol is compromised in a single transaction.