Public Access Control Vulnerability in changeOwner() Function
Summary
The changeOwner() function is publicly accessible and does not check if the caller is the current owner of the contract before changing the ownership of the contract. This allows anyone to call the function and transfer ownership to themselves or another malicious address
Vulnerability Details
The changeOwner() function can be called by anyone due to its public visibility. Additionally, there is no validation in place to check whether msg.sender is the current owner. As a result, an attacker can claim ownership of the contract and take control, leading to potential abuse, including the withdrawal of funds or unauthorized modifications.
Impact
Any user, including a malicious actor, can take over ownership of the contract. This gives the attacker full control, allowing them to access owner-restricted functions, such as :
-
setBoxPrice() : attacker can claim ownership and modify the box price
-
withdrawFunds() : attacker can claim ownership and proceed to call the withdrawFunds() method and completely drain the contract
-
addReward() : after claiming ownership, an attacker can add new reward by calling the addReward() function
All users interacting with the contract, including buyers and reward eligible users, are at risk since an attacker gaining control would disrupt the intended contract functionality and compromise the trust in the system and potentially making users lose their rewards.
Tools Used
manual review
Recommendations
Implement an ownership check to ensure that only the current owner can call the changeOwner() function. Use the require() statement to enforce this access control.
As I have indicated below :
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.