Mystery Box

Summary

The MysteryBox contract contains an unprotected changeOwner function, allowing any user to take control of the contract. This vulnerability enables an attacker to drain funds, manipulate rewards, and alter core contract parameters.

Vulnerability Details

The vulnerability exists in the changeOwner function:

This function lacks access control, allowing any address to call it and become the new owner. The owner role in this contract has significant privileges, including the ability to withdraw all funds, add rewards, and change the box price.

Impact

• Fund Drainage: An attacker can become the owner and immediately withdraw all funds from the contract using the withdrawFunds function.

• Reward Manipulation: The attacker can add arbitrary rewards to the pool, potentially creating imbalances or draining more funds through manipulated rewards.

• Price Manipulation: By calling setBoxPrice, the attacker can alter the cost of mystery boxes, potentially setting it to zero or an extremely high value.

• Trust Erosion: Users may lose confidence in the protocol due to the potential for sudden ownership changes and fund losses.

• Protocol Disruption: The attacker could significantly disrupt the intended functioning of the mystery box system, rendering it unusable or unprofitable.

• Attacker can set the new owner to Address 0 after exploiting all the above making the contract inaccessible forever.

Proof Of Concept

This issue is easy to exploit. attacker can simply call changeOwner by passing their address to become the new owner.

Tools Used

• Manual review

• Remix IDE

Recommendations

To mitigate this vulnerability, implement proper access control on the changeOwner function: