Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Address Validation in sendERC20 and sendETH function

rare__one

Summary

Both sendERC20 and sendETH functions in InheritanceManager.sol fail to validate the recipient address (_to), which can result in irreversible loss of funds.

Vulnerability Details

Neither function checks whether _to is address(0). If _to == address(0), the transaction will succeed, but the funds will be permanently lost:

  • ERC20 tokens sent to address(0) are burned.

  • ETH sent to address(0) is unrecoverable.

  • If _to == address(this), the contract could accidentally send ETH to itself, leading to unintended behavior.

Affected Codes

function sendERC20(address _tokenAddress, uint256 _amount, address _to) external nonReentrant onlyOwner {
if (IERC20(_tokenAddress).balanceOf(address(this)) < _amount) {
revert InsufficientBalance();
}
IERC20(_tokenAddress).safeTransfer(_to, _amount);
_setDeadline();
}
function sendETH(uint256 _amount, address _to) external nonReentrant onlyOwner {
(bool success,) = _to.call{value: _amount}("");
require(success, "Transfer Failed");
_setDeadline();
}

Impact

** Irreversible loss of funds** for the contract and users.

Tools Used

Recommendations

Require _to to be a valid address before transferring funds:

require(_to != address(0), "Invalid recipient address");
Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.