Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted Ownership Change in `MysteryBox.sol#changeOwner()`

badal_sharma09

Description:
The function MysteryBox#changeOwner() allows anyone to become the contract owner by simply calling the function. This creates a severe vulnerability where an attacker can take control of the contract, leading to catastrophic consequences.

  1. Once an attacker gains ownership, they can call MysteryBox#withdrawFunds() and drain all the money from the reward pool.

  2. They can set the box price to zero using MysteryBox#setBoxPrice(), allowing them to buy all boxes for free.

  3. The attacker can control all contract functions, steal rewards, and siphon the contract’s entire balance.

Impact:
If an attacker becomes the contract owner, they can:

  • Drain the entire contract balance.

  • Manipulate box prices.

  • Steal users' rewards.

  • Essentially take full control of the contract, causing significant financial damage to all users.

Proof of Concept:
An attacker calls MysteryBox#changeOwner() and passes their own address as the new owner:

// File src/MysteryBox.sol#changeOwner
function changeOwner(address _newOwner) public {
owner = _newOwner;
}

Now, the attacker can withdraw all funds or set malicious box prices.

Recommendation:
Restrict ownership changes by ensuring only the current owner can call the changeOwner() function:

function changeOwner(address _newOwner) public {
+ require(msg.sender == owner, "Only the owner can set a new owner");
owner = _newOwner;
}

This will prevent unauthorized users from changing the contract ownership.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can change owner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!