The function changeOwner
can be called by anyone.
On line 111 of the code, the changeOwner
function does not implement proper access control, allowing any user to set the owner of the contract to any arbitrary address.
An attacker can call the changeOwner
function to take ownership of the contract. Once ownership is gained, the attacker can set the box price, add rewards, and worst of all, call the withdrawFunds
function to steal all contract funds.
Manual inspection.
Implement access control to restrict the changeOwner
function to the current owner only. This can be done by adding a require
statement:
Alternatively, use a modifier and a custom error for better readability and gas optimization:
Apply the onlyOwner
modifier to other functions that require ownership control. Additionally, since the function is called externally, it should be marked as external
instead of public
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.