Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Ownership can be changed by anybody. as every-one can access changeOwner()

vishwa

Summary

Ownership can be changed by anybody. as every-one can access changeOwner(),

onlyOwner,modifier or required() is not created for changing ownership of the contract ,so anyone who has access to the contract abi function of "changeOwner()" can change ownership and withdraw funds of both initial used while creating contract of "0.1 ether" + "remaining balance of the contract"

Vulnerability Details

function changeOwner(address _newOwner) public {
owner = _newOwner;
}

No modifier or require is used to restrict other users from executing changeOwner function.

Impact

anyone who has access to the contract abi function of "changeOwner()" can change ownership and withdraw funds of both initial used while creating contract of "0.1 ether" + "remaining balance of the contract".

How could it harm the protocol or users?

By changing the ownership "Attacker" can do:-

1.setBoxPrice

2.addReward

3.withdrawFunds()

Tools Used

(VScode) Manually

Recommendations

Add restriction for changing Ownership so only owner can change ownership.

modifier onlyOwner(){
require(owner==msg.sender,"only Owner can call this function");
_;
}
function changeOwner(address _newOwner) public onlyOwner {
owner = _newOwner;
}

OR

function changeOwner(address _newOwner) public {
require(owner==msg.sender,"only Owner can call this function");
owner = _newOwner;
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!