Incorrect Return Statement Prevents Payment Distribution In buyOutEstateNFT()
Summary
The function InheritanceManager.sol::buyOutEstateNFT() contains a flawed return statement inside the for loop, which can prevent beneficiaries from receiving their rightful share when an NFT is bought out. If the buyer is the first element in the beneficiaries array or between the first and the last element, the function will return prematurely, skipping the distribution of funds to other beneficiaries.
Vulnerability Details
Affected code:
Example:
Assume the estate NFT is valued at 100,000 USDC.
There are 3 beneficiaries (Alice, Bob, John), each entitled to 1/3 of the estate.
The first beneficiary in the array (Alice) buys the NFT, meaning they need to pay only (2/3) of 100,000 = 66,666 USDC as Alice holds the other 1/3.
However, since
msg.senderis the first beneficiary in the array, the function returns immediately.No funds are transferred to the remaining two beneficiaries, and the NFT is not burned.
Impact
The buyer successfully purchases the NFT but other beneficiaries do not receive their rightful share of the payment causing finance loss to other beneficiaries.
The NFT is not burned, which could lead to inconsistencies in the contract state.
Tools Used
Manual review
Recommendations
Replace return with continue to skip payment for msg.sender but allow the loop to continue. This way we ensure that all rightful beneficiaries receive their funds and the Estate NFT is properly burned to reflect ownership changes.
Lead Judging Commences
buyOutNFT has return instead of continue
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.