Submission Details
Severity:
Incorect operator in `InheritanceManager:buyOutEstateNFT`
Vulnerability Details
During the distribution we do the following
uint256 value = nftValue[_nftID];
uint256 divisor = beneficiaries.length;
uint256 multiplier = beneficiaries.length - 1;
uint256 finalAmount = (value / divisor) * multiplier;
IERC20(assetToPay).safeTransferFrom(
msg.sender,
address(this),
finalAmount
);
...
} else {
IERC20(assetToPay).safeTransfer(
beneficiaries[i],
@> finalAmount / divisor
);
}
...
The finalAmount is the total price that the beneficiary has to pay, excluding their own part.
Let's take examples with the following values
value = 333divisor = 3, total of 3 beneficiariesmultiplier = 2finalAmount = 333 / 3 * 2 = 222
That's correct, but then during the transfers, we use
finalAmount / divisor222 / 2 = 111
The 111 tokens remain in the contract. After that, the beneficiary can call withdrawInheritedFunds and get back 37 tokens
Recommendations
Change the operator to multiplier
} else {
IERC20(assetToPay).safeTransfer(
beneficiaries[i],
@> finalAmount / multiplier
);
}
Updates
Lead Judging Commences
0xtimefliez 5 months ago
Submission Judgement Published Assigned finding tags:
buyOutNFT has wrong denominator
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.