Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect calculations on NFT payment distribution leads to beneficiaries receiving less than their expected share of the funds

iii

Summary

When a beneficiary buys an estate NFT through function InheritanceManager::buyOutEstateNFT, it calculates the amount to be transferred proportionally to the remaining beneficiaries. However, the calculations are incorrect and will result in them receiving less than their fair share of the payment.

Vulnerability Details

The function first calculates the payment amount to distribute finalAmount as:

uint256 finalAmount = (value / divisor) * multiplier;

Solidity will truncate the result when value isn't evenly divisible by divisor and so the fractional value will be lost, leading to incorrect calculation results.
More importantly, each beneficiary receives:

IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);

Besides leading to further rounding errors, the division incorrectly takes into account the beneficiary that's purchasing the NFT, further reducing the payment each one receives.

Impact

Beneficiaries receive less than their expected share of the funds

Tools Used

Manual Review

Recommendations

Correct both the payment share formula and reduce the rounding errors:

function buyOutEstateNFT(uint256 _nftID) external onlyBeneficiaryWithIsInherited {

uint256 value = nftValue[_nftID];

uint256 divisor = beneficiaries.length;

uint256 multiplier = beneficiaries.length - 1;

- uint256 finalAmount = (value / divisor) * multiplier;

+ uint256 finalAmount = (value * multiplier) / divisor;

IERC20(assetToPay).safeTransferFrom(msg.sender, address(this), finalAmount);

for (uint256 i = 0; i < beneficiaries.length; i++) {

if (msg.sender == beneficiaries[i]) {

return;

} else {

- IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);

+ IERC20(assetToPay).safeTransfer(beneficiaries[i], value / divisor);

}

nft.burnEstate(_nftID);

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

buyOutNFT has wrong denominator

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.