In the `MysteryBox.sol` contract many functions rely on a `require` that checks if the `msg.sender` is in fact the owner. These functions include:
- `setBoxPrice` - Setting the box price
- `addReward` - Adding a whole new reward
- `withdrawFunds` - Withdrawing the funds from the contract
All of these but not the `changeOwner` function, which changes the address of the owner!
Missing access control checks on the `changeOwner` function which changes the address of the owner:
This vulnerability could potentially lead to loss of all funds in the contract. Consider the following scenario and test that can be added to testMysteryBox.t.sol:
1. The owner deployed with 0.1 ether (in the setup)
2. Two users buy boxes
3. An attacker sees the vulnerability
4. The attacker changes himself to be the owner
5. The attacker (now the owner of the contract) withdraws the funds
Manual Review, Unit Test
Add an onlyOwner modifier (then can be added to the necessary functions mentioned earlier):
Or can just add a check in `changeOwner` for owner:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.