[H-11] DoS possibility in `InheritanceManager::buyOutEstateNFT` if one beneficiary is blacklisted in ERC-20 withdraws
Summary
Some ERC-20 tokens (e.g., USDT, USDC on certain networks) implement blacklisting mechanisms where specific addresses are prohibited from receiving tokens. If a transfer to a blacklisted address is attempted, the transaction reverts.
Vulnerability Details
In buyOutEstateNFT, after the caller transfers tokens via safeTransferFrom, the function distributes tokens to other beneficiaries via safeTransfer in a loop. If one beneficiary is blacklisted by the assetToPay token, the transfer reverts, halting the function and preventing NFT burn.
Assume a simplified ERC-20 token with blacklisting (e.g., mimicking USDT):
Deploy InheritanceManager and BlacklistToken.
Owner adds a blacklisted address (e.g., 0xdead...) as a beneficiary.
Fund the contract with BlacklistToken tokens.
After inheritance, call buyOutEstateNFT(nftId).
safeTransfer to the blacklisted address reverts, failing the entire transaction.
Impact
High. The beneficiaries will not be able to withdraw from the contract, leaving the funds locked.
Tools Used
Manual Review
Recommendations
Implement a pull-payment pattern to mitigate DoS by allowing beneficiaries to withdraw their ERC-20 shares individually, rather than distributing funds in a single transaction. This isolates the impact of a malicious beneficiary to their own withdrawal.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.