Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-1] Anyone can call `InheritanceManager:inherit` and become the owner of the contract

graves

[H-1] Anyone can call InheritanceManager:inherit and become the owner of the contract

Description: If there is only 1 beneficiary and the deadline has passed, anyone can call InheritanceManager:inherit and become the owner of the contract, essentially stealing all funds.
There is no restriction on who can call the inherit function and because of the line owner = msg.sender, whoever calls the function becomes the contract owner.

Impact: Any address can become the contract owner and control all funds within the contract.

function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
owner = msg.sender; //problematic line
_setDeadline();

Proof of Code:

Code

Add this test to InheritanceManagerTest.t.sol

function test_inheritSteal() public {
address user2 = makeAddr("user2");
weth.mint(address(im), 10e18);
vm.startPrank(owner);
im.addBeneficiery(user1);
// Increase by 90 days
vm.warp(block.timestamp + 7776000);
assertEq(im.getOwner(), owner);
vm.stopPrank();
vm.startPrank(user2);
im.inherit();
assertEq(im.getOwner(), user2);
}

Recommended Mitigation: Change the line in the inherit function from setting the owner to the msg.sender to the first(and only) entry in the beneficiaries array.

function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
- owner = msg.sender;
+ owner = beneficiaries[0];
_setDeadline();
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Inherit depends on msg.sender so anyone can claim the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.