Submission Details
Severity:
Missing `onlyOwner` check in `changeOwner()`
Summary
In the MisteryBox contract, there is no verification to ensure that only the owner can function changeOwner().
Vulnerability Details
Currently, anyone can change the owner since there is no restriction on who can update the owner variable.
Impact
This could result in the contract’s ownership being transferred unintentionally or maliciously, potentially locking the contract and making it inaccessible.
Tools Used
Manual review
Recommendations
Implement an onlyOwner modifier and apply it to all functions that should be restricted to the contract owner:
+modifier onlyOwner() {
+ require(msg.sender == owner, "Not the owner");
+ _;
+}
-function changeOwner(address _newOwner) public {
+function changeOwner(address newOwner) public onlyOwner {
require(newOwner != address(0), "Invalid address");
owner = newOwner;
}
-function setBoxPrice(uint256 _price) public {
+function setBoxPrice(uint256 _price) public onlyOwner {
- require(msg.sender == owner, "Only owner can set price");
boxPrice = _price;
}
-function addReward(string memory _name, uint256 _value) public {
+function addReward(string memory _name, uint256 _value) public onlyOwner {
- require(msg.sender == owner, "Only owner can add rewards");
rewardPool.push(Reward(_name, _value));
}
-function withdrawFunds() public {
+function withdrawFunds() public onlyOwner {
- require(msg.sender == owner, "Only owner can withdraw");
(bool success,) = payable(owner).call{value: address(this).balance}("");
require(success, "Transfer failed");
}
Updates
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Anyone can change owner
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.