Inheritable Smart Contract Wallet

Summary

A logical flaw in buyOutEstateNFT causes the function to return prematurely when msg.sender is found in the beneficiaries array, leaving the buyer’s funds locked and the NFT unburned.

Vulnerability Details

for (uint256 i = 0; i < beneficiaries.length; i++) {
if (msg.sender == beneficiaries[i]) {
return; // Returns before distributing funds or burning the NFT
} else {
IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);
}
}
nft.burnEstate(_nftID);

• The loop returns on the first match, preventing the rest of the logic (fund distribution to other beneficiaries and burnEstate) from executing.

Impact

• Buyer (beneficiary) loses funds to the contract without receiving the intended outcome (unburned NFT).

• Other beneficiaries never receive any portion of the buyout.

• The contract’s intended asset-transfer flow is broken.

Tools Used

• Foundry Tests: By writing a test where msg.sender is a beneficiary, you can see the function return prematurely and the NFT remain unburned.

• Manual Code Review: Identified the premature return.

Recommendations

• Remove or reorder the early return.

• Consider skipping the buyer in distribution rather than exiting the loop immediately.

• Ensure the NFT burn happens after the distribution logic completes.