Skip to content

fix: Add access control to DeviceRegistry registration#17

Open
LSUDOKO wants to merge 1 commit intoc2siorg:mainfrom
LSUDOKO:fix/missing-access-control-device-registration
Open

fix: Add access control to DeviceRegistry registration#17
LSUDOKO wants to merge 1 commit intoc2siorg:mainfrom
LSUDOKO:fix/missing-access-control-device-registration

Conversation

@LSUDOKO
Copy link
Copy Markdown

@LSUDOKO LSUDOKO commented Mar 15, 2026
edited
Loading

Fix: Missing Access Control on Device Registration

Description

This Pull Request addresses a critical security vulnerability in DeviceRegistry.sol where the registerDevice function was publicly accessible without any access control.

Previously, any Ethereum address could register itself as a valid device. This bypassed the hardware authenticity requirement and allowed attackers to mint forged NFTs by registering malicious device addresses.

Changes Made

1. Inherited Ownable

Modified DeviceRegistry to inherit from OpenZeppelin's Ownable contract to introduce a standard access-control mechanism.

2. Initialized Owner

Added a constructor to properly initialize the Ownable state with msg.sender as the contract owner.

3. Restricted Device Registration

Applied the onlyOwner modifier to the registerDevice function to ensure that only the contract owner can register new devices.

Impact & Security Gains

  • Only the contract owner (deployer) can authorize and register new devices.
  • Prevents attackers from injecting malicious device addresses into the registry.
  • Restores the trust model of the system by ensuring that only legitimate hardware devices can be registered.

fix #13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing Access Control on Device Registration

1 participant

@LSUDOKO