Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Transient Storage Slot Usage in Reentrancy Guard

0xsixeyes

Summary

The nonReentrant modifier in the InheritanceManager contract uses different transient storage slots for checking and setting the reentrancy lock, making the implementation incorrect. However, due to the presence of onlyOwner modifier on all functions using this guard, no actual exploitation is possible.

Vulnerability Details

The nonReentrant modifier implementation uses slot 1 for checking the lock but slot 0 for setting it:

modifier nonReentrant() {

assembly {

if tload(1) { revert(0, 0) } // Checks slot 1

tstore(0, 1) // Sets slot 0

}

assembly {

tstore(0, 0) // Clears slot 0

}

The modifier is used in the following functions:

This means:

The check looks at slot 1 which is never modified
The lock is set in slot 0 which is never checked
The reentrancy protection is technically ineffective

However, all functions using this modifier (sendERC20 and sendETH) also implement the onlyOwner modifier, which prevents any potential reentrancy by ensuring only the contract owner can call these functions.

Impact

LOW

While the implementation of the reentrancy guard is incorrect, the actual security impact is minimal because:

No functions in the current implementation can be exploited due to the onlyOwner modifier
Any reentrancy attempt would fail at the onlyOwner check since the reentrant call would come from a different address
No loss of funds is possible with the current implementation

However, this could become a more serious issue if:

The contract is inherited and the broken modifier is relied upon for security
New functions are added that use only nonReentrant for protection
The contract is modified to use nonReentrant without onlyOwner

Tools Used

Manual review
Code inspection
Official Solidity Documentation Transient Storage Opcodes in Solidity
Foundry tests

Recommendations

Update the nonReentrant modifier to use the same storage slot for both checking and setting the lock:

modifier nonReentrant() {

assembly {

if tload(0) { revert(0, 0) } // Check slot 0

tstore(0, 1) // Sets slot 0

}

assembly {

tstore(0, 0) // Clears slot 0

}

Consider using OpenZeppelin's battle-tested implementations instead of custom access control and security mechanisms:

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

import "@openzeppelin/contracts/access/Ownable.sol";

contract InheritanceManager is Trustee, ReentrancyGuard, Ownable {

// ... rest of the contract

}

This would provide several benefits:

Use of thoroughly audited and widely deployed code
Reduced risk of implementation errors
Better standardization and maintainability
Regular security updates and improvements from the OpenZeppelin team
Increased trust from users and auditors who are familiar with these standard implementations

Updates

Lead Judging Commences

0xtimefliez Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Wrong value in nonReentrant modifier

0xtimefliez Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Wrong value in nonReentrant modifier

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!