Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unrestricted Access to `InheritanceManager::withdrawInheritedFunds` allows forced fund distribution

olayinkablexxy

Summary

The InheritanceManager::withdrawInheritedFunds function is callable by anyone, not just beneficiaries. This allows an attacker or any external party to force the distribution of funds to beneficiaries, even if they are not ready or willing to receive the funds. While beneficiaries can send the funds back to the contract, this results in unnecessary gas costs and disrupts the intended workflow of the contract.

Proof Of Code

Place the test below in ./test/InheritanceManagerTest.t.sol file:

function test_unrestricted_withdrawal() external {
address attacker = makeAddr("Attacker");
address user2 = makeAddr("user2");
vm.startPrank(owner);
im.addBeneficiery(user1);
im.addBeneficiery(user2);
vm.stopPrank();
usdc.mint(address(im), 9e18);
vm.warp(1 + 90 days);
vm.prank(user1);
im.inherit();
// attacker forcefully distribute funds
vm.prank(attacker);
im.withdrawInheritedFunds(address(usdc));
assertEq(45e17, usdc.balanceOf(user1));
assertEq(45e17, usdc.balanceOf(user2));
// beneficiaries need to send the funds back leading to loss of money due to gas cost
}

Impact

Lost of funds due to unnecessary gas costs and loss of control over the timing of fund distribution.

Tools Used

  • Manual Review

  • Foundry

Recommendations

Add the InheritanceManager::onlyBeneficiaryWithIsInherited modifier to restrict access to the beneficiaries only.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.