Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

[M-4] Duplicate beneficiary can be added with `addBeneficiary`

0xnick

Description:

There are no validations that the beneficiary already exits in the list of beneficiaries.
This allows the same address to be added multiple times.

Impact:

Medium - there is no direct loss of funds but more of a uneven distribution when the withdrawInheritedFunds function is called. The duplicate address will receive bigger portion of the assets.

Likelihood: Medium. Adding duplicate beneficiaries requires owner oversight or intentional action, which is plausible during normal usage (e.g., manually adding beneficiaries without checking for duplicates). However, it’s not an automatic or default occurrence, nor does it require an external attack—just a lack of diligence or a UI that doesn’t enforce uniqueness.

Proof of Concept:

function test_canAddDuplicateBeneficiary() public {
address user2 = makeAddr("user2");
uint256 iterations = 100;
vm.startPrank(owner);
uint256 beneficiariesBefore = im.getBeneficiaryCount();
for (uint256 i = 0; i < iterations; i++) {
im.addBeneficiery(user2);
}
uint256 beneficiariesAfter = im.getBeneficiaryCount();
vm.stopPrank();
assertTrue(beneficiariesBefore == (beneficiariesAfter - iterations));
assertTrue(beneficiariesAfter == iterations);
}
function getBeneficiaryCount() public view returns (uint256) {
return beneficiaries.length;
}

Recommended Mitigation:

We can benefit from the mapping suggested in [H-2] and detect duplicates.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.