Summary

The function InheritanceManager.sol::buyOutEstateNFT() contains a flawed return statement inside the for loop, which can prevent beneficiaries from receiving their rightful share when an NFT is bought out. If the buyer is the first element in the beneficiaries array or between the first and the last element, the function will return prematurely, skipping the distribution of funds to other beneficiaries.

Vulnerability Details

Affected code:

• buyOutEstateNFT()

Example:

1. Assume the estate NFT is valued at 100,000 USDC.

2. There are 3 beneficiaries (Alice, Bob, John), each entitled to 1/3 of the estate.

3. The first beneficiary in the array (Alice) buys the NFT, meaning they need to pay only (2/3) of 100,000 = 66,666 USDC as Alice holds the other 1/3.

4. However, since msg.sender is the first beneficiary in the array, the function returns immediately.

5. No funds are transferred to the remaining two beneficiaries, and the NFT is not burned.

Impact

• The buyer successfully purchases the NFT but other beneficiaries do not receive their rightful share of the payment causing finance loss to other beneficiaries.

• The NFT is not burned, which could lead to inconsistencies in the contract state.

Tools Used

• Manual review

Recommendations

Replace return with continue to skip payment for msg.sender but allow the loop to continue. This way we ensure that all rightful beneficiaries receive their funds and the Estate NFT is properly burned to reflect ownership changes.