[H-10] DoS possibility in `InheritanceManager::withdrawInheritedFunds` if one beneficiary is blacklisted in ERC-20 withdraws
Summary
Some ERC-20 tokens (e.g., USDT, USDC on certain networks) implement blacklisting mechanisms where specific addresses are prohibited from receiving tokens. If a transfer to a blacklisted address is attempted, the transaction reverts.
Vulnerability Details
In withdrawInheritedFunds (ERC-20 branch), safeTransfer is called in a loop to send tokens to each beneficiary. If one beneficiary is blacklisted by the ERC-20 contract (e.g., asset), the safeTransfer reverts, causing the entire function to fail.
Assume a simplified ERC-20 token with blacklisting (e.g., mimicking USDT):
Deploy InheritanceManager and BlacklistToken.
Owner adds a blacklisted address (e.g., 0xdead...) as a beneficiary.
Fund the contract with BlacklistToken tokens.
After inheritance, call withdrawInheritedFunds(address(BlacklistToken)).
safeTransfer to the blacklisted address reverts, failing the entire transaction.
Impact
High. The beneficiaries will not be able to withdraw from the contract, leaving the funds locked.
Tools Used
Manual Review
Recommendations
Implement a pull-payment pattern to mitigate DoS by allowing beneficiaries to withdraw their ERC-20 shares individually, rather than distributing funds in a single transaction. This isolates the impact of a malicious beneficiary to their own withdrawal.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.