Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Asset Validation Vulnerability in Estate NFT Functions

0xblackadam

Description

The createEstateNFT() function allows setting assetToPay to any address including address(0) (the zero address), but the buyOutEstateNFT() function explicitly does not support ETH payments and will fail if assetToPay is set to address(0).

function createEstateNFT(string memory _description, uint256 _value, address _asset) external onlyOwner {

uint256 nftID = nft.createEstate(_description);

nftValue[nftID] = _value;

assetToPay = _asset;

}

In buyOutEstateNFT(), the function attempts to use the ERC20 interface on whatever address is stored in assetToPay:

/**

* @dev On-Chain payment of underlaying assets.

* CAN NOT use ETHER

* @param _nftID NFT ID to buy out

function buyOutEstateNFT(uint256 _nftID) external onlyBeneficiaryWithIsInherited {

uint256 value = nftValue[_nftID];

uint256 divisor = beneficiaries.length;

uint256 multiplier = beneficiaries.length - 1;

uint256 finalAmount = (value / divisor) * multiplier;

IERC20(assetToPay).safeTransferFrom(msg.sender, address(this), finalAmount);

for (uint256 i = 0; i < beneficiaries.length; i++) {

if (msg.sender == beneficiaries[i]) {

return;

} else {

IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);

}

nft.burnEstate(_nftID);

}

Impact

If the owner sets assetToPay to address(0), the buyOutEstateNFT() function will always revert because address(0) does not implement the ERC20 interface.
This would permanently lock the NFT, making it impossible for beneficiaries to buy out the estate, directly contradicting the intended inheritance functionality.
The inconsistency between allowing address(0) in createEstateNFT() but not supporting it in buyOutEstateNFT() creates a potential denial of service vulnerability.

Recommendation

Add validation in the createEstateNFT() function to prevent setting assetToPay to address(0):

function createEstateNFT(string memory _description, uint256 _value, address _asset) external onlyOwner {

require(_asset != address(0), "ETH payments not supported for estates");

uint256 nftID = nft.createEstate(_description);

nftValue[nftID] = _value;

assetToPay = _asset;

}

Alternatively, if ETH payments should be supported, modify the buyOutEstateNFT() function to handle both ERC20 tokens and ETH payments using a pattern similar to the one used in withdrawInheritedFunds().

Tools Used

Manual Code Review
Static Analysis

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.