Unauthorized Takeover in `inherit()` due to lack of beneficiary verification
Summary
The inherit() function in contract InheritanceManager allows anyone to claim ownership of the contract if beneficiaries.length == 1, without verifying that msg.sender is actually the sole beneficiary. This means that after 90 days of inactivity, an attacker can call inherit() and become the contract owner, completely bypassing the inheritance mechanism.
Vulnerability Details
Root Cause:
The contract fails to check whether msg.sender is the actual beneficiary when executing inherit(). The flawed logic:
Steps to Exploit:
The contract owner adds a single beneficiary using addBeneficiery().
The owner remains inactive for 90+ days, triggering the inheritance condition.
Any external address (attacker) calls inherit().
Since beneficiaries.length == 1, the contract assigns ownership to the attacker.
The attacker takes full control of the contract and its assets.
Impact
Complete contract takeover by an unauthorized entity.
Loss of all assets stored in the contract.
Beneficiaries may never receive their rightful inheritance.
Tools Used
Foundry (Solidity smart contract testing framework)
Manual review
Recommendations
To prevent unauthorized contract takeover, modify the inherit function to ensure that only the legitimate beneficiary can claim ownership. Specifically, add a check to verify that msg.sender is the sole beneficiary before assigning ownership.
The inherit function can be modified as given below:
Lead Judging Commences
Inherit depends on msg.sender so anyone can claim the contract
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.