Mystery Box

First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Anyone can be owner to steal all funds.

Summary

The changeOwner() has no restrictions, so anyone can change owner to steall all funds.

Vulnerability Details

The changeOwner() function does not include an ownership check or any form of access control. This means that any user who interacts with the contract can call this function and change the contract's owner to any address, including their own.

Impact

Malicious users can take over the contract by setting themselves as the owner and steal all funds.

Tools Used

Manual Review

Recommendations

function changeOwner(address _newOwner) public onlyOwner {
+ require(msg.sender == owner, "Only owner can execute this");
owner = _newOwner;
}
Updates

Appeal created

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.