Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of `onlyOwner` modifier or `if statement` in function `changeOwner`

eth0x

Summary

Because the function does not have the onlyOwner modifier or an if statement to check protocol ownership, all users can change protocol ownership and can be protocol's admin/owner.”

In smart contracts, especially those written in Solidity, the onlyOwner modifier is commonly used to restrict access to certain functions so that only the contract owner can execute them12. Without such a modifier or an equivalent access control mechanism, any user can potentially call the function and change the ownership, which can lead to security vulnerabilities.

Vulnerability Details

Through this vulnerability potential attacker can:

  • change the mystery box's price,

  • withdrawFunds

  • addReward

Impact

All users can change protocol ownership and can be protocol's admin/owner.

Tools Used

Foundry

Recommendations

Add the `onlyOwner` modifier, `if` or `require` statment to check ownership.

function changeOwner(address \_newOwner) public onlyOwner {\
owner = \_newOwner;\
}
// @audit to
function changeOwner(address \_newOwner) public onlyOwner {\
require(msg.sender == owner, "Only owner can withdraw");
owner = \_newOwner;\
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!