Anyone Can Change the Contract Owner
Summary
The changeOwner function lacks proper access control, allowing any user to transfer ownership of the contract to themselves or another address. This could result in unauthorized control of the contract.
Vulnerability Details
The changeOwner function is missing a permission check, meaning any user can call this function and change the contract's ownership. Without access control, anyone interacting with the contract can replace the current owner with any address, leading to a potential takeover of the contract's operations.
Impact
A malicious user could take control of the contract, enabling them to:
Withdraw all funds from the contract.
Manipulate rewards and other sensitive functionality.
Significantly harm the protocol, resulting in loss of user trust and funds.
Tools Used
Manual Code Review
Recommendations
Add an access control check to the changeOwner function, such as require(msg.sender == owner), to ensure only the current owner can change the ownership of the contract. This will safeguard against unauthorized transfers of ownership.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.