Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

No Access Control for `changeOwner()` Function

0xgee001

Summary

The changeOwner() function lacks proper access control, allowing any user to change the contract’s ownership. This introduces a critical vulnerability that can lead to unauthorized takeover of the contract by a malicious actor.

Vulnerability Details

In the current implementation, the changeOwner() function does not restrict who can call it:

function changeOwner(address _newOwner) public {
owner = _newOwner;
}

Any user can call this function, including a malicious one, and set themselves as the owner of the contract. Once ownership is transferred, the attacker can exploit the full control over the contract, including setting prices, adding rewards, or withdrawing funds.

Impact

This allows any user to take over the contract and act as the new owner. As a result, the attacker can drain funds from the contract or manipulate the protocol to their advantage, causing substantial financial and reputational damage.

Tools Used

Manual code review

Recommendations

Implement access control to restrict this function to the current owner only:

function changeOwner(address _newOwner) public {
require(msg.sender == owner, "Only the current owner can change ownership");
require(_newOwner != address(0), "New owner cannot be the zero address");
owner = _newOwner;
}

This ensures only the owner can transfer ownership and prevents transferring ownership to the zero address.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!