Submission Details
Severity:
Transfer of inheritance because of nonvalidation of deadline in removeBeneficiary function()
Summary
The rules says:
Every action by the owner should reset the deadline to prevent premature inheritance. So.
If the owner removes a beneficiary, it is still an interaction with the contract and should count as "activity."
If
_setDeadline()is missing, an owner could remove a beneficiary but still lose access after 90 days, even if they were just managing the contract.
Vulnerability Details
function removeBeneficiary(address _beneficiary) external onlyOwner {
uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);
delete beneficiaries[indexToRemove];
}
Impact
90 days countdown non-validation will lead to transfer of inheritence.
Tools Used
Mannual review
Recommendations
function removeBeneficiary(address _beneficiary) external onlyOwner
{
uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);
delete beneficiaries[indexToRemove];
_setDeadline(); // Reset the 90-day timer
}
Updates
Lead Judging Commences
0xtimefliez 6 months ago
Submission Judgement Published Assigned finding tags:
Inherit depends on msg.sender so anyone can claim the contract
functions do not reset the deadline
constructor does not initialize deadline
Appeal created
0xtimefliez 6 months ago
Submission Judgement Published Assigned finding tags:
functions do not reset the deadline
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.