Mystery Box

Summary

The changeOwner function in the MysteryBox contract lacks a security check to ensure that only the current owner can change the owner address. This oversight allows any user to modify the owner, potentially leading to unauthorized control of the contract.

Vulnerability Details

The changeOwner function does not include a require statement to verify that the caller is indeed the current owner of the contract. This omission means that any address can call this function and set a new owner, undermining the contract's intended access control.

Impact

This vulnerability poses a significant risk to the security and integrity of the contract. An unauthorized user could assume ownership, allowing them to:

• Withdraw all funds from the contract.

• Modify key parameters, including box prices and reward distribution.

• Potentially render the contract non-functional or exploit it for malicious purposes.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, implement the following changes:

1. Add a require statement in the changeOwner function to check that msg.sender is equal to owner.

   function changeOwner(address _newOwner) public { require(msg.sender == owner, "Only owner can change ownership"); owner = _newOwner; }