Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Loop Logic with Early Return

5stars

Summary

The bug in the buyOutEstateNFT function arises from the incorrect use of return instead of continue in the distribution loop and the miscalculation of the transfer amount as finalAmount / divisor instead of value / divisor. These issues prevent proper fund distribution and fairness among beneficiaries

Vulnerability Details

The function uses a for loop to distribute funds to beneficiaries other than the buyer (msg.sender). However, the loop contains the following condition

if (msg.sender == beneficiaries[i]) {return;} else {IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);}

The return statement causes the function to exit immediately when the buyer's address is encountered in the beneficiaries array. This means that only beneficiaries listed before the buyer in the array receive their share, while those listed after the buyer are skipped entirely.

Impact

Early Return Issue: Some beneficiaries may not receive their share of the buyout funds, depending on their position in the beneficiaries array relative to the buyer. This breaks the fairness and intent of the buyout mechanism.

Tools Used

Recommendations

To prevent this from happening, it is better to change the function to the following form:

for (uint256 i = 0; i < beneficiaries.length; i++) { if (msg.sender != beneficiaries[i]) { IERC20(assetToPay).safeTransfer(beneficiaries[i], share); } }
Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

buyOutNFT has return instead of continue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.