Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized Ownership Change in MysteryBox Contract

PureSecurity

Summary

The changeOwner() function in the MysteryBox contract allows any user to transfer ownership of the contract without restriction. This behavior contradicts the documentation, which states that neither the admin nor the user should have the permission to change ownership. The lack of access control in this function poses a significant security risk, as it enables any user to assume control of the contract, potentially leading to malicious activities, including withdrawing funds or altering critical contract parameters.

Vulnerability Details

The changeOwner() function in the contract is defined as:

function changeOwner(address _newOwner) public {

owner = _newOwner;

}

Key Issue:

There is no access control on the changeOwner() function, meaning any user can call it and set themselves (or any address) as the new owner of the contract.
This behavior directly contradicts the documented intent, which specifies that users and admins should not have permission to change ownership.

This lack of restriction allows attackers to take over the contract and perform sensitive actions, such as withdrawing all funds using the withdrawFunds() function or modifying other administrative settings (e.g., setBoxPrice() and addReward()).

Example Scenarios

Unauthorized Ownership Change Scenario:

Initial Setup: An attacker notices that the changeOwner() function is callable by anyone.

Execution: The attacker calls the changeOwner() function, passing their own address as the new owner

Outcome: The attacker becomes the contract's owner and can now perform sensitive administrative actions, including withdrawing all funds from the contract

Impact

Complete loss of control: Any user can take ownership of the contract, leading to complete loss of control for the original owner.

Loss of funds: An attacker who gains ownership can withdraw all funds from the contract.
Unauthorized modification of contract parameters: The attacker can modify parameters such as boxPrice and add or remove rewards, damaging the contract's integrity and trustworthiness.

Tools Used

Manual Review

Recommendations

Add Ownership Access Control:

function changeOwner(address _newOwner) public {

+++++ require(msg.sender == owner, "Only the owner can change ownership");

owner = _newOwner;

}

This ensures that only the legitimate owner has the permission to transfer ownership, aligning with the intended behavior documented in the contract's specification.

Updates

Appeal created

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can change owner

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.