Incomplete Beneficiary Removal Leads to Zero Address Inclusion
Details:
The removeBeneficiary function uses the Solidity delete keyword to “remove” an element from the beneficiaries array. However, in Solidity, using delete on an array element resets the element to its default value (in this case, the zero address) without changing the array’s length. Later, when iterating over the array in functions like withdrawInheritedFunds, the contract will inadvertently include the zero address in the iteration. This can result in unintended behavior such as transferring funds to the zero address.
Root Cause:
The root cause is the use of the delete keyword on an array element instead of properly removing the element. This approach leaves a “hole” (a zero address) in the array rather than shifting subsequent elements to maintain array integrity.
Impact:
When funds are distributed among beneficiaries, the calculation uses the total array length. The presence of a zero address results in funds being sent to an address that cannot receive them, causing loss of funds. This not only disrupts the intended beneficiary distribution but can also lead to irrecoverable asset loss.
Recommendation:
Replace the current removal mechanism with one that maintains the integrity of the array. For example, swap the beneficiary to be removed with the last element and then use the pop() function to reduce the array length. This approach prevents holes from forming in the array and ensures that only valid beneficiary addresses are used in subsequent operations.
Lead Judging Commences
Incorrect removal from beneficiary list causes funds to be send to 0 address
Incorrect removal from beneficiary list causes funds to be send to 0 address
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.