Lack of Access Control Allows Anyone to Change the Owner
[H-02] Lack of Access Control Allows Anyone to Change the Owner
Summary
The changeOwner function does not implement proper access control, allowing anyone to change the contract owner.
Vulnerability Details
The current implementation of the changeOwner function lacks restrictions, meaning any user can call the function to reassign ownership. This introduces a critical vulnerability, as shown in the code snippet below:
Without proper access control, any user, not just the current owner, can take over the contract by calling this function.
Impact
The legitimate owner can lose ownership of the contract, potentially leading to loss of control over critical functions.
Tools Used
Manual Review
Recommendations
Implement appropriate access control to ensure that only the current owner can change ownership. For example, using the onlyOwner modifier would restrict this function to the contract owner:
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.