Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted changeOwner Function

lamsy

Summary:
The changeOwner() function allows anyone to change the owner of the contract, making the entire protocol susceptible to attacks. Malicious actors can take control of the contract, granting them the ability to modify critical settings, drain funds, or execute other unauthorized actions.

Vulnerability Details:

  • The changeOwner() function does not check if the caller is the current owner, meaning any user can call the function and replace the contract’s owner with their own address.

  • Location: changeOwner()

Impact:

Complete Control of Contract: An attacker who changes the ownership will have full access to all owner-only functions, such as setting the box price, adding rewards, and withdrawing funds.
Fund Loss: If an unauthorized user becomes the owner, they can withdraw all funds from the contract, resulting in loss of assets for legitimate users and the original owner.

Tools Used:

  • Manual

  • Remix IDE

Recommendations:

Add an access control check to ensure only the current owner can change ownership:

or use OpenZeppelin (Ownable) contract library.

function changeOwner(address _newOwner) public
{require(msg.sender == owner, "Only owner can change ownership");
owner = _newOwner;
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.