Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Wrong logic in `InheritanceManager::inherit` give anyone access to drain the contract funds.

olayinkablexxy

Summary

The InheritanceManager::inherit function can be called by anyone. When used as a backup, i.e, just 1 beneficiary, an attacker can call this function in order to gain access to the contract. This is because InheritanceManager::inherit doesn't use the beneficiary as the owner, instead, it uses the caller, which can be an attacker.

Vulnerability Details

The attacker waits for the InheritanceManager::deadline to pass. Immediately it's 90 days + 1 seconds, the attacker calls the `InheritanceManager:inherit to take over the contract.

POC

Place this function inside the test/InheritanceManagerTest.sol file:

function test_wrong_backup() external {
assertEq(im.getOwner(), owner); // the real owner
address attacker = makeAddr("attacker");
vm.prank(owner);
im.addBeneficiery(user1); // the backup wallet
vm.deal(address(im), 9e18);
vm.warp(1 + 90 days);
vm.prank(attacker);
im.inherit();
assertEq(im.getOwner(), attacker);
}

Impact

Loss of funds because the owner and backup wallet lose control of the contract.

Tools Used

Manual Review

Recommendations

Use the only address in the beneficiaries array as the beneficiary:

function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
- owner = msg.sender;
+ owner = beneficiaries[0];
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Inherit depends on msg.sender so anyone can claim the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.