Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

appointTrustee() causes array out-of-bounds panic in specific conditions

0xe1i

Summary

The appointTrustee() function in InheritanceManager.sol can trigger an array out-of-bounds panic due to an off-by-one error in the onlyBeneficiaryWithIsInherited modifier. This issue occurs when beneficiaries.length is small, and isInherited is true, leading to a panic error (0x32) that crashes the transaction.

Vulnerability Details

Location:

InheritanceManager.sol, onlyBeneficiaryWithIsInherited modifier

modifier onlyBeneficiaryWithIsInherited() {
uint256 i = 0;
while (i < beneficiaries.length + 1) { // Off-by-one error
if (msg.sender == beneficiaries[i] && isInherited) {
break;
}
i++;
}
_;
}

The bug occurs because the loop runs one iteration too far (i < beneficiaries.length + 1).

  • If beneficiaries.length is small (0 or 1) and isInherited == true, the loop will try to access an out-of-bounds index, causing a panic error (0x32).

  • If beneficiaries.length is large, the loop will likely break early, meaning the bug is inconsistent.

PoC

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import "forge-std/Test.sol";
import {InheritanceManager} from "../src/InheritanceManager.sol";
contract AppointTrusteeTest is Test {
InheritanceManager inheritanceManager;
address owner = address(this);
address newTrustee = address(0x1234);
function setUp() public {
inheritanceManager = new InheritanceManager();
vm.deal(address(inheritanceManager), 10 ether);
vm.prank(owner);
inheritanceManager.addBeneficiery(owner);
}
function test_appointTrustee_ArrayOutOfBounds() public {
vm.warp(block.timestamp + 90 days);
vm.prank(owner);
inheritanceManager.inherit();
vm.prank(owner);
vm.expectRevert();
inheritanceManager.appointTrustee(newTrustee);
}
}

Test failure output

[FAIL: panic: array out-of-bounds access (0x32)] test_appointTrustee_NoEventEmitted()

Impact

  • Any beneficiary attempting to call appointTrustee() under these conditions will crash the transaction, making trustee management impossible.

  • Since trustees are needed to reevaluate assets in case of disputes, this could prevent fair settlement of estate assets.

  • Funds may become locked if the trustee role is essential for payout disputes.

  • The issue is inconsistent, making it even riskier since it may go unnoticed in normal testing.

Tools Used

  • Foundry

  • Slither

  • ChatGPT

  • Manual code review

Recommendations

Fix the off-by-one error by changing the loop condition in onlyBeneficiaryWithIsInherited:

while (i < beneficiaries.length) {
Updates

Lead Judging Commences

0xtimefliez Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

0xe1i Submitter
10 months ago
0xtimefliez Lead Judge
10 months ago
0xe1i Submitter
10 months ago
0xtimefliez Lead Judge
10 months ago
0xtimefliez Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!