Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

appointTrustee() causes array out-of-bounds panic in specific conditions

0xe1i

Summary

The appointTrustee() function in InheritanceManager.sol can trigger an array out-of-bounds panic due to an off-by-one error in the onlyBeneficiaryWithIsInherited modifier. This issue occurs when beneficiaries.length is small, and isInherited is true, leading to a panic error (0x32) that crashes the transaction.

Vulnerability Details

Location:

InheritanceManager.sol, onlyBeneficiaryWithIsInherited modifier

modifier onlyBeneficiaryWithIsInherited() {
uint256 i = 0;
while (i < beneficiaries.length + 1) { // Off-by-one error
if (msg.sender == beneficiaries[i] && isInherited) {
break;
}
i++;
}
_;
}

The bug occurs because the loop runs one iteration too far (i < beneficiaries.length + 1).

  • If beneficiaries.length is small (0 or 1) and isInherited == true, the loop will try to access an out-of-bounds index, causing a panic error (0x32).

  • If beneficiaries.length is large, the loop will likely break early, meaning the bug is inconsistent.

PoC

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import "forge-std/Test.sol";
import {InheritanceManager} from "../src/InheritanceManager.sol";
contract AppointTrusteeTest is Test {
InheritanceManager inheritanceManager;
address owner = address(this);
address newTrustee = address(0x1234);
function setUp() public {
inheritanceManager = new InheritanceManager();
vm.deal(address(inheritanceManager), 10 ether);
vm.prank(owner);
inheritanceManager.addBeneficiery(owner);
}
function test_appointTrustee_ArrayOutOfBounds() public {
vm.warp(block.timestamp + 90 days);
vm.prank(owner);
inheritanceManager.inherit();
vm.prank(owner);
vm.expectRevert();
inheritanceManager.appointTrustee(newTrustee);
}
}

Test failure output

[FAIL: panic: array out-of-bounds access (0x32)] test_appointTrustee_NoEventEmitted()

Impact

  • Any beneficiary attempting to call appointTrustee() under these conditions will crash the transaction, making trustee management impossible.

  • Since trustees are needed to reevaluate assets in case of disputes, this could prevent fair settlement of estate assets.

  • Funds may become locked if the trustee role is essential for payout disputes.

  • The issue is inconsistent, making it even riskier since it may go unnoticed in normal testing.

Tools Used

  • Foundry

  • Slither

  • ChatGPT

  • Manual code review

Recommendations

Fix the off-by-one error by changing the loop condition in onlyBeneficiaryWithIsInherited:

while (i < beneficiaries.length) {
Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xe1i Submitter
6 months ago
0xtimefliez Lead Judge
6 months ago
0xe1i Submitter
6 months ago
0xtimefliez Lead Judge
6 months ago
0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.