Unrestricted Access to changeOwner Function Allows Unauthorized Ownership Transfer
Summary
The changeOwner function in the MysteryBox contract allows anyone to change the contract's ownership without any restrictions. This vulnerability enables unauthorized users to gain control of the contract, posing significant security and financial risks.
Vulnerability Details
The changeOwner function is accessible to any address without access control. There is no require statement checking if the caller is the current owner, allowing anyone to call this function and transfer ownership to themselves or another address.
Without proper access control, this function can be exploited by malicious actors to take control of the contract and its assets.
Impact
The impact of this vulnerability is severe, as it allows an attacker to:
Gain control over key contract functions that are restricted to the owner, such as withdrawing funds or modifying critical parameters like
boxPriceorrewardPool.Transfer all the contract's funds or assets, leading to potential financial loss for the current owner and users of the contract.
Modify contract behavior to harm users or steal rewards.
Tools Used
Manual review
Recommendations
To mitigate this vulnerability, restrict access to the changeOwner function by adding a require statement that ensures only the current owner can change the ownership:
This ensures that only the current owner can authorize an ownership transfer, preventing unauthorized users from taking control of the contract.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.