Missing Access Control in `changeOwner` Function.
Vulnerability Details
The changeOwner function lacks any access control mechanisms, meaning that anyone can call this function and set themselves or any address as the contract’s owner. This is a serious vulnerability because the owner has critical privileges within the contract, such as: setting box prices or withdrawing all contract funds.
By exploiting this vulnerability, a malicious actor can take control of the entire contract, change key parameters, and drain funds.
Impact
This is a high-severity vulnerability because any user can become the owner of the contract.
The malicious owner can then set arbitrary box prices, add or manipulate rewards, and withdraw all the contract’s funds, causing severe financial loss to the legitimate owner and users.
The absence of access control allows full control of the contract to be transferred to an attacker with no restrictions.
Tools Used
Manual review, Visual Studio Code (VSCode)
Recommendations
To fix this issue, implement an access control mechanism to ensure that only the current owner can change ownership. The require statement should be added to restrict the function's use.
This ensures that only the contract owner can execute the ownership transfer, preventing unauthorized access and control over the contract.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.