Submission Details
Severity:
Unauthorized Ownership Transfer When Only One Beneficiary Exists
Summary: In the inherit() function, when there is only one beneficiary, the contract sets owner = msg.sender without verifying that msg.sender is the beneficiary, allowing anyone to claim ownership after the 90-day timelock
Vulnerability Details : When there's only one beneficiary, the inherit() function allows msg.sender to become the owner without verifying they are the beneficiary
function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
owner = msg.sender; // No check if msg.sender is the beneficiary!
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
This violates the invariant that "After the 90 days only the beneficiaries get access to the funds."
Impact : High. Anyone can steal a contract with a single beneficiary once the timelock expires.
Tools Used
Recommendations :
function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
require(msg.sender == beneficiaries[0], "Not the beneficiary");
owner = msg.sender;
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
Updates
Lead Judging Commences
0xtimefliez 9 months ago
Submission Judgement Published Assigned finding tags:
Inherit depends on msg.sender so anyone can claim the contract
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.