Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

[L-02] Missing Zero Address check in MysteryBox::changeOwner, contract can have no owner

0xnelli

Summary

The MysteryBox::changeOwner function does not check if the new owner address is the zero address. This means the contract would have no owner and key functions would not be able to be executed again.

Vulnerability details

As can be seen below there is no check on the value of the _newOwner, this means the value that is passed to the function could be the zero address, which no one controls.

function changeOwner(address _newOwner) public {
owner = _newOwner;
}

Impact

The following functions will no longer be able to be called:

  • MysteryBox::addReward

  • MyseryBox::withdraw

  • MysteryBox::setBoxPrice

  • MyseryBox::changeOwner

As a result, the core functionality of the game will be frozen, as no new rewards can be added and the price of the mystery boxes will permanently remain the same. Additionally, only the players will be able to earn ether from the contract as no one is able to call MysteryBox::withdraw.

Tools Used

Manual review & Aderyn

Recommended Mitigation

Add a check that the address is not the zero address, as seen below:

function changeOwner(address _newOwner) public {
require(_newOwner != address(0), "Owner cannot be zero address");
owner = _newOwner;
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!