Submission Details
Severity:
Incorrect calculation in buyOutEstateNFT(), InheritanceManager.sol
Summary
The buyOutEstateNFT function contains a critical issue in the following line:
uint256 multiplier = beneficiaries.length - 1;
Vulnerability Details
If beneficiaries.length is 1, then multiplier = 1 - 1 = 0, which means the finalAmount will always be 0, leading to no funds being transferred.
function buyOutEstateNFT(uint256 _nftID) external onlyBeneficiaryWithIsInherited {
uint256 value = nftValue[_nftID];
uint256 divisor = beneficiaries.length;
uint256 multiplier = beneficiaries.length - 1;
uint256 finalAmount = (value / divisor) * multiplier;
IERC20(assetToPay).safeTransferFrom(msg.sender, address(this), finalAmount);
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (msg.sender == beneficiaries[i]) {
return;
} else {
IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);
}
}
nft.burnEstate(_nftID);
}
Impact
The finalAmount will always be zero, resulting in no funds being transferred to the other beneficiaries
Tools Used
Manual review
Recommendations
function buyOutEstateNFT(uint256 _nftID) external onlyBeneficiaryWithIsInherited {
uint256 value = nftValue[_nftID];
uint256 divisor = beneficiaries.length;
require(divisor > 1, "Cannot buy out if only one beneficiary exists"); // new line
uint256 finalAmount = (value * (divisor - 1)) / divisor;
IERC20(assetToPay).safeTransferFrom(msg.sender, address(this), finalAmount);
uint256 share = finalAmount / (divisor - 1); // new line
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (beneficiaries[i] != msg.sender) {
IERC20(assetToPay).safeTransfer(beneficiaries[i], share);
}
}
nft.burnEstate(_nftID);
}
Updates
Lead Judging Commences
0xtimefliez 5 months ago
Submission Judgement Published Assigned finding tags:
buyOutNFT has wrong denominator
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.