The MysteryBox::changeOwner
function is missing access control.
The MysteryBox::changeOwner
function doesn't check if the caller (msg.sender
) is the owner of the contract before assigning the specified address of the _newOwner
parameter to the owner
variable.
Add this test to the test suite:
And execute it:
Anyone can change the owner of the contract to an arbitrary address.
Manual review
GNU Emacs (solidity-mode)
Foundry tests
Modify the MysteryBox::changeOwner
function, checking if the caller is the MysteryBox
contract owner:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.