Inheritable Smart Contract Wallet

## Project: Inheritance Smart Contract

## Audited by: Erik Lochoshvili

## Date: March 2025

Summary

This audit report reviews the security and functionality of the smart contract `InheritanceManager`, focusing on potential vulnerabilities and areas for improvement. The code was analyzed using static analysis tools (like Slither) and manual inspection to identify risks that could impact the safety of the funds and the contract's operation.

Vulnerability Details

1. Reentrancy Risk

   • The function withdrawInheritedFunds utilizes a low-level call to send Ether to beneficiaries. This introduces a risk of reentrancy attacks, allowing a malicious beneficiary contract to call back into the InheritanceManager contract and potentially exploit the vulnerability. 2. Gas Limit Issue with Large Numbers of Beneficiaries

     • The contract iterates over a list of beneficiaries in a loop to distribute inherited funds. If the list is too large, this could exceed the gas limit, leading to a failed transaction.

       3.Unprotected Asset Withdrawals (Lack of Access Control)

       • The function withdrawInheritedFunds does not have access control, meaning it can be triggered by anyone, not just the owner or authorized beneficiaries. This exposes the contract to unauthorized withdrawals.

         4.Unchecked External Call to safeTransfer

         • While the function uses safeTransfer to send tokens to beneficiaries, there is no explicit error handling for failures in token transfers, such as insufficient balance or allowance issues. This could lead to unnoticed transfer failures.

Impact

Reentrancy Risk: A malicious actor could exploit the vulnerability to drain funds from the contract, compromising the security of inherited assets.

Gas Limit Issue: If the number of beneficiaries exceeds a manageable threshold, the contract's withdrawInheritedFunds function could run out of gas, causing transactions to fail and preventing beneficiaries from receiving their inheritance.

Unprotected Asset Withdrawals: Unauthorized users could potentially call the withdrawInheritedFunds function, resulting in an improper distribution of funds or malicious withdrawals, leading to financial loss for beneficiaries.

Unchecked External Call to safeTransfer: Without proper error handling, token transfers could fail silently, potentially causing assets to be lost or not distributed as intended.

Tools Used

Slither: Static analysis tool used to identify common vulnerabilities in the smart contract code, including reentrancy risks, unchecked external calls, and gas inefficiencies.

Manual Review: In-depth code inspection to assess the logic, flow, and design of the contract, ensuring that no potential vulnerabilities were overlooked.

Recommendations

1. Reentrancy Protection:

   • Replace the low-level call method with the transfer method to prevent reentrancy attacks. Alternatively, consider implementing a pull-payment mechanism, where beneficiaries manually withdraw their funds to avoid the issue.

2. Gas Optimization:

   • Implement a batching mechanism to allow funds to be distributed in smaller transactions, preventing gas limit issues. Alternatively, consider enabling a pull-payment mechanism that allows beneficiaries to withdraw their inheritance on their own, eliminating the need for looping over large arrays.

3. Access Control:

   • Add access control to the withdrawInheritedFunds function to ensure that only authorized users, such as the contract owner or specific beneficiaries, can trigger the withdrawal. Use the Ownable contract or custom access control modifiers to restrict access.

4. Failure Handling for Token Transfers:

   • Implement explicit error handling after the safeTransfer calls to ensure that the transfer succeeds. If a transfer fails, the contract should revert the transaction or handle the failure appropriately to prevent unnoticed issues.