The `withdrawInheritedFunds function does not include any protection to ensure that only authorized users can call the function allowing unauthorized user to drain the contract
Summary
The withdrawInheritedFunds function does not include any protection to ensure that only authorized users (i.e., beneficiaries) can call the function. This could potentially allow unauthorized addresses to withdraw native Ether (ETH) from the contract.
Vulnerability Details
The function withdrawInheritedFunds allows the withdrawal of Ether or ERC20 tokens by beneficiaries of the contract. However, there are no checks to ensure that only authorized beneficiaries can call the function. This lack of restriction allows any address to call this function, which could result in unauthorized users being able to withdraw funds
Since the function lacks a proper check for `msg.sender, any address could trigger this function and withdraw Ether or ERC20 tokens, potentially leading to a loss of funds.
Impact
Unauthorized users could call this function and withdraw Ether or ERC20 tokens, which could result in a loss of funds.
Tools Used
Manual code review + Aderyn
Recommendations
Implement Access Control for msg.sender: Introduce a check to ensure that only authorized users (the beneficiaries) can call this function. A check to verify that the caller is a beneficiary would mitigate this risk :
Additional Access Control : You could implement an onlyBeneficiaries modifier to handle authorization for all functions that require beneficiary access. This would simplify the code and ensure that only authorized addresses can interact with the contract :
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.