Contract functions executing critical logic should have appropriate access control enforced via address checks (e.g. owner, controller etc.) typically in modifiers.
Missing checks allow attackers to control critical logic. (see here and here)
- Access to Functions
- Public/External Functions
- Addresses: Anyone/Owner/RBAC
- Correct Modifiers/Addresses -> Enforce Access