Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted Ownership Transfer via inherit() Function

howiecht

Summary

The inherit() function lets anyone become the contract's owner after a deadline, even if they aren't the intended beneficiary. This happens when there's only one beneficiary because the code forgets to check if the person calling the function is actually that beneficiary. This means someone could steal the contract and its funds.

Vulnerability Details

The inherit() function is designed to transfer ownership to the beneficiary after the deadline. However, when there is only one beneficiary, the function only checks if the deadline has passed and if beneficiaries.length is equal to 1. It fails to verify that the caller (msg.sender) is the beneficiary at index 0. This oversight allows any external user to call inherit() after the deadline and become the owner, effectively stealing the contract and its funds.

Impact

This vulnerability allows any external user to claim ownership of the contract and its funds after the deadline, leading to potential loss of assets. This is a critical security flaw that directly contradicts the intended functionality of the contract.

Tools Used

Manual Review

Recommendations

function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
- if (beneficiaries.length == 1) {
+ if (beneficiaries.length == 1 && msg.sender == beneficiaries[0]) {
owner = msg.sender;
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Inherit depends on msg.sender so anyone can claim the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.