Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Faulty Beneficiary Removal in removeBeneficiary()

lszb

Summary

The removeBeneficiary() function has a security flaw in how it removes beneficiaries from the beneficiaries array. Instead of properly removing an element and adjusting the array's length, it uses the delete keyword, which sets the specified element to address(0) (the null address) without reducing the array size. This leads to several serious problems, including gas inefficiency, potential loss of funds, and incorrect logic in inheritance distribution.

Vulnerability Details

In the current implementation, the function identifies the index of the beneficiary to remove and uses delete to set that element to address(0). However, this does not shift the remaining elements or decrease the array's length, leaving gaps in the array.

Vulnerable Code:

function removeBeneficiary(address _beneficiary) external onlyOwner {

uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);

delete beneficiaries[indexToRemove]; // Sets to address(0), array length unchanged

}

Impact

Gas Costs: Iterating over an array with null entries wastes computational resources, increasing transaction fees.
Fund Loss: Sending funds to address(0) during inheritance distribution can result in permanent loss or failed transactions, preventing beneficiaries from accessing their shares.
Logic Errors: Incorrect array length misleads functions that depend on the number of beneficiaries, disrupting the contract's intended behavior.

Proof of Concept (PoC)

The beneficiaries array starts as [address1, address2, address3].
The owner calls removeBeneficiary(address2).
The array becomes [address1, address(0), address3], with length = 3.
When withdrawInheritedFunds() is called to distribute funds, it attempts to send funds to address(0), causing the transaction to revert and blocking all beneficiaries from receiving their inheritance.

Tools Used

Manual review

Recommendations

Modify the function to properly remove the beneficiary by shifting elements, ensuring no empty slots are left in the array:

function removeBeneficiary(address _beneficiary) external onlyOwner {

uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);

uint256 lastIndex = beneficiaries.length - 1;

if (indexToRemove != lastIndex) {

beneficiaries[indexToRemove] = beneficiaries[lastIndex]; // Shift last element to fill the gap

}

beneficiaries.pop(); // Remove last entry to maintain correct array length

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect removal from beneficiary list causes funds to be send to 0 address

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!