The function MysteryBox.sol:changeOwner has broken access control. The function is public and has no checks to make sure that the old owner is the one to call this function, thus anyone who calls this function can set the new owner.
Calling the changeOwner function allows a user to set whatever address they pass as the new owner.
The contract could be exploited and drained by using changeOwner to set a target as the new owner and then calling withdrawFunds, resulting in a total loss of funds.
Manual Analysis
Create a modifier that allows onlyOwner to access these functions which require only an owner to access them.
Or add an access control check such as:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.