Lack of access control in `changeOwner` function
Summary
The changeOwner function in the lacks proper access control, allowing any user to change the contract's owner. This oversight poses significant security risks, as unauthorized users can gain control over the contract.
Vulnerability Details
The issue arises from the changeOwner function in the smart contract, which allows the transfer of ownership without proper access control. The function is implemented as follows:
There is no restriction on who can call this function, meaning any external user or malicious actor could invoke it and change the contract's owner to any address, including their own. Once they become the owner, they would have full control over functions that are intended to be restricted to the owner, such as fund withdrawals or changing critical parameters of the contract.
Impact
An attacker can change the owner of the contract to their own address, gaining control over all owner-only functions. Once ownership is transferred to a malicious actor, the legitimate owner may have no way of recovering control, especially if the attacker withdraws funds or halts key contract functions.
Tools Used
Manual Review
Recommendations
Add an access control check to ensure that only the current owner can call the changeOwner function.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.