Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`contractInteractions` function: The function fails to reset the deadline timer, violating a core contract invariant

alekseyts

Summary

A high vulnerability has been identified in the InheritanceManager contract's contractInteractions function. The function fails to reset the deadline timer, violating a core contract invariant that requires every owner transaction to reset the 90-day timer.

Vulnerability Details

The vulnerability exists in the deadline management system:

  1. Missing Deadline Reset:

  • The contractInteractions function does not call _setDeadline()

  • This violates the core contract assumption that all owner transactions must reset the timer

  • Function allows interaction with external contracts without updating the dead man's switch timer

  1. Core Assumption Violation:
    From the test:

//SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import {Test, console} from "forge-std/Test.sol";
import {InheritanceManager} from "../src/InheritanceManager.sol";
import {ERC20Mock} from "@openzeppelin/contracts/mocks/token/ERC20Mock.sol";
contract InheritanceManagerAuditTest is Test {
InheritanceManager im;
ERC20Mock usdc;
ERC20Mock weth;
address owner = makeAddr("owner");
address user1 = makeAddr("user1");
function setUp() public {
vm.prank(owner);
im = new InheritanceManager();
usdc = new ERC20Mock();
weth = new ERC20Mock();
}
// test contractInteractions : do not reset deadline
function test_contractInteractions_dontResetDeadline() public {
/**
based on: ## Core Assumptions and Invariants
1. EVERY transaction the owner does with this contract must reset the 90 days timer
*/
address someContract1 = makeAddr("someContract1");
address someContract2 = makeAddr("someContract2");
uint256 amount = 10e10;
vm.deal(address(im), amount);
vm.startPrank(owner);
im.contractInteractions(someContract1, hex"", 10, true);
im.contractInteractions(someContract2, hex"", 10, true);
vm.stopPrank();
assert(true);
}
}

The test demonstrates this by:

  1. Creating two mock contract addresses

  2. Funding the contract with 10e10 wei

  3. Owner performs two contract interactions:

    • Interaction with someContract1

    • Interaction with someContract2

  4. Neither interaction resets the deadline timer

Impact

High severity. The vulnerability allows:

  • Violation of core contract security assumptions

  • Breaking of the dead man's switch mechanism

  • Potential premature inheritance triggers

  • Inconsistent deadline management across owner operations

Tools Used

  • Manual code review

  • Foundry test framework

  • Contract invariant analysis

  • Mock contract interactions testing

Recommendations

  1. Add deadline reset to contractInteractions:

function contractInteractions(
address _contract,
bytes memory _data,
uint256 _executionDelay,
bool _active
) external onlyOwner {
// existing interaction logic
// ...
// Reset deadline
_setDeadline();
}

  1. Implement systematic safeguards:

  • Create a modifier for owner functions that automatically resets deadline:

modifier resetsDeadline() {
_setDeadline();
_;
}

  • Apply modifier to all owner functions

  • Add events for deadline changes

  1. Add additional security measures:

  • Implement deadline verification checks

  • Add function to check last deadline reset

  • Create emergency pause mechanism for contract interactions

Updates

Lead Judging Commences

0xtimefliez Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

functions do not reset the deadline

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.