Insecure Ownership Transfer in `changeOwner` Function
Summary
The changeOwner function allows any user to change the contract's owner to any address. This can lead to unauthorized modifications of box prices and withdrawal of funds by malicious users.
Vulnerability Details
The changeOwner function is designed to update the contract's owner, but it lacks any access control mechanisms to restrict this capability to the current owner.
The function can be called by any address, allowing anyone to set the owner to any address.
Impact
An unauthorized user can exploit this function to assume ownership of the contract, enabling them to manipulate box prices and withdraw funds, leading to potential financial loss for the original owner and users.
Tools Used
Manual Review
Recommendations
To prevent unauthorized ownership transfer, the changeOwner function should be modified to include access control, ensuring that only the current owner can call the function and assign a new owner.
Adding the require statement ensures that only the current owner can call this function and assign a new owner, preventing unauthorized users from manipulating the contract's ownership.
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.