Beginner FriendlySolidity
100 EXP
View results
Submission Details
Severity: high
Valid

Incorect operator in `InheritanceManager:buyOutEstateNFT`

Vulnerability Details

During the distribution we do the following

uint256 value = nftValue[_nftID];
uint256 divisor = beneficiaries.length;
uint256 multiplier = beneficiaries.length - 1;
uint256 finalAmount = (value / divisor) * multiplier;
IERC20(assetToPay).safeTransferFrom(
msg.sender,
address(this),
finalAmount
);
...
} else {
IERC20(assetToPay).safeTransfer(
beneficiaries[i],
@> finalAmount / divisor
);
}
...

The finalAmount is the total price that the beneficiary has to pay, excluding their own part.

Let's take examples with the following values

  • value = 333

  • divisor = 3, total of 3 beneficiaries

  • multiplier = 2

  • finalAmount = 333 / 3 * 2 = 222

That's correct, but then during the transfers, we use

  • finalAmount / divisor

  • 222 / 2 = 111

The 111 tokens remain in the contract. After that, the beneficiary can call withdrawInheritedFunds and get back 37 tokens

Recommendations

Change the operator to multiplier

} else {
IERC20(assetToPay).safeTransfer(
beneficiaries[i],
@> finalAmount / multiplier
);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

buyOutNFT has wrong denominator

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.