Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Access Controls in changeOwner Function

0xsalami

Summary H-1

Lack of Access Controls in changeOwner Function

Vulnerability Details

The changeOwner function in the MysteryBox contract lacks proper access control mechanisms. This vulnerability allows any user to call the changeOwner function and pass an arbitrary address, which changes the owner variable without any restrictions. As a result, an unauthorized user can take over ownership of the contract.

Proof of code

function testHijack_Ownership() public {
vm.startPrank(user1);
console.log("Previous Owner", mysteryBox.owner());
assert(mysteryBox.owner() != user1);
mysteryBox.changeOwner(user1);
console.log("New Owner", mysteryBox.owner());
assertEq(mysteryBox.owner(), user1);
vm.stopPrank();
//// CONSOLE LOGS /////////////
// Previous Owner 0x7c8999dC9a822c1f0Df42023113EDB4FDd543266
// New Owner 0x0000000000000000000000000000000000000001
}

Impact

The owner variable, which is critical for enforcing admin or onlyOwner functions, can be maliciously altered. This could lead to the original contract owner losing control over the contract and potentially losing any ETH or tokens held by the contract, as the new owner would gain full control.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, integrate OpenZeppelin's Ownable contract, which provides a secure implementation of ownership and includes an onlyOwner modifier. This modifier should be applied to all sensitive functions, including changeOwner, to restrict access to the current owner only.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!