Early Exit in Loop Causes Partial or No Fund Distribution
Summary
The buyOutEstateNFT() function in InheritanceManager.sol has a critical loop exit bug that prevents proper fund distribution. If msg.sender appears early in the beneficiaries list, the function stops execution prematurely, leading to partial or no fund transfers. This causes an inconsistent distribution mechanism.
Vulnerability Details
Root Cause
-
The function incorrectly exits early when it encounters
msg.senderin the loop:for (uint256 i = 0; i < beneficiaries.length; i++) {if (msg.sender == beneficiaries[i]) {return; // 🚨 Exits the function early, skipping remaining transfers!} else {IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);}} -
Since
msg.sender(the buyer) can be anywhere in the list, the number of people receiving funds varies depending on their position.
Impact
Partial distribution if
msg.senderappears later—some beneficiaries receive funds, but others do not.No distribution if
msg.senderappears firstLoss of user funds, as
msg.senderpays but doesn't ensure complete distribution
Tools Used
Foundry (Forge) Testing Framework
Console Logs to trace balance updates
Recommendations
Fix: Use continue; Instead of return;
Ensure all beneficiaries receive their funds, skipping msg.sender without stopping the loop:
Lead Judging Commences
buyOutNFT has return instead of continue
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.