Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can claim ownership of the protocol

bhanusaienamala
## Summary
The `changeOwner()` function in the protocol allows any user to change the ownership of the contract. This introduces a significant security vulnerability, as malicious users can take control of the contract by simply calling the function. Proper access control needs to be enforced to ensure only the current owner can change the ownership.
## Vulnerability Details
The current implementation of the `changeOwner()` function does not check whether the caller is the current owner of the contract. This means that any user can call this function and change the owner of the contract to themselves or another address. This is a severe security flaw, as it allows unauthorized access to the contract's critical functions.
## Impact
Allowing any user to change the contract's owner can lead to complete loss of control over the contract. The new owner could access restricted functions, withdraw funds, and manipulate the contract to their advantage, leading to the potential loss of user funds and trust in the protocol.
## Tools Used
Manual code review and Solidity testing framework (e.g., Foundry).
## Recommendations
To mitigate this issue, the `changeOwner()` function should be restricted so that only the current owner of the contract can call it. This can be achieved by adding an ownership check using a `require` statement.
Here is the updated `changeOwner()` function:
```diff
function changeOwner(address _newOwner) public {
+ require(msg.sender == owner, "Only the owner can change ownership");
owner = _newOwner;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.