Change owner function which is public should be changing the ownership of the box but instead its changing the ownership of the complete contract .Since it doesn't have any checks in place any user can change the ownership to themselves and withdraw the funds from the contract.
The change owner function must have a check in place for verifying whether the msg.sender is the current owner. And the logic of change owner function is supposed to change the ownership of the box not of the contract itself
-> Manual Review
-> Foundry
Introduce a variable which gives a unique Id for every box bought by the user and change the fucntion in such the way that the ownership of the box can be changed. Use the provided unique ID and check the ownership of the box.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.