Access Control Risk – Inability to Update the InheritanceManager Leading to Permanent Loss of Functionality or Unauthorized NFT Minting
Summary
The NFTFactory contract restricts the minting and burning of estate NFTs exclusively to an immutable inheritanceManager set at deployment. This design choice creates an access control risk: if the designated inheritanceManager is compromised, lost, or becomes obsolete due to contract upgrades or owner migration, no new estates can be minted or burned. This could lead either to permanent loss of contract functionality or to unauthorized actions if the role is improperly assigned.
Vulnerability Details
-
Affected Functions:
createEstate(string memory description)burnEstate(uint256 _id)
-
Description:
Both functions are protected by theonlyInheritanceManagermodifier, which verifies that the caller is equal to the immutableinheritanceManageraddress set during deployment. There is no function in the contract that allows updating or transferring theinheritanceManagerrole. Consequently, if the designated manager is compromised or lost, the contract becomes non-functional regarding NFT minting and burning. Conversely, if the wrong address is set initially, an attacker might be able to exercise these privileges. -
Code Snippet Illustrating the Issue:
modifier onlyInheritanceManager() {if (msg.sender != inheritanceManager) {revert NotInheritanceManager();}_;}function createEstate(string memory description) external onlyInheritanceManager returns (uint256 itemID) {uint256 ID = _incrementCounter();_mint(msg.sender, ID);_setTokenURI(ID, description);return ID;}
Root Cause
The root cause of the vulnerability is the absence of an update mechanism for the inheritanceManager address. The contract sets this role only once in the constructor without any provision for modification. This design choice means that if the address becomes inaccessible or if operational requirements change, the NFTFactory contract cannot adapt, leading to potential loss of functionality or security breaches.
Impact
-
Permanent Loss of Functionality:
If theinheritanceManageris lost (for example, if its private key is compromised or inaccessible), no new estate NFTs can be created or existing ones burned. This locks the contract’s functionality permanently. -
Unauthorized NFT Minting:
Should the wrong address be set as theinheritanceManager, or if that address is later compromised, an attacker could mint or burn NFTs without authorization, undermining the integrity of the estate management process. -
Economic Impact:
Loss of NFT minting/burning capabilities can result in disputes over estate allocation, potential legal implications, and financial losses for the stakeholders who rely on the contract for secure estate management.
Tools Used
Foundry:
Mitigation
To mitigate this risk, implement an update mechanism that allows transferring the inheritanceManager role in a controlled manner. A suggested mitigation is as follows:
-
Introduce an Update Function:
function updateInheritanceManager(address _newManager) external onlyInheritanceManager {require(_newManager != address(0), "Invalid address");inheritanceManager = _newManager;} -
Emit an Event for Transparency:
event InheritanceManagerUpdated(address indexed oldManager, address indexed newManager);function updateInheritanceManager(address _newManager) external onlyInheritanceManager {require(_newManager != address(0), "Invalid address");address oldManager = inheritanceManager;inheritanceManager = _newManager;emit InheritanceManagerUpdated(oldManager, _newManager);}
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.