Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Beneficiary Index Handling

willubedaone

Summary

The _getBeneficiaryIndex function in the InheritanceManager contract is responsible for retrieving the index of a given beneficiary within the beneficiaries array. However, the function currently has a vulnerability that could lead to incorrect deletions or unintended behavior if the beneficiary is not found.

Vulnerability Details

The function attempts to return an index for a given beneficiary.

If the beneficiary does not exist in the beneficiaries array, the function does not return a valid index but instead leaves _index uninitialized.
In Solidity, an uninitialized uint256 defaults to 0. This means that if the function is used incorrectly (without proper validation), it could lead to unintended consequences, such as deleting the wrong beneficiary from the array.
Although the function does include a check (if (!found) { revert("Beneficiary not found"); }), it still declares _index as a return variable, which may cause confusion and incorrect usage.

Impact

Incorrect deletions: If a non-existent beneficiary is queried and the returned value is mistakenly assumed to be valid (0), the first beneficiary in the list may be incorrectly removed.

Unexpected behavior: Other functions that rely on this function may process incorrect data due to the lack of a safer return type.
Potential security risk: This vulnerability could be exploited if an attacker manipulates function calls that rely on _getBeneficiaryIndex.

Tools Used

Manual Review

The Vulnerable Code

/**

* @dev takes beneciciary address and returns index as a helper function for removeBeneficiary

* @param _beneficiary address to fetch the index for

function _getBeneficiaryIndex(address _beneficiary) public view returns (uint256 _index) {

for (uint256 i = 0; i < beneficiaries.length; i++) {

if (_beneficiary == beneficiaries[i]) {

_index = i;

break;

}

Recommendations

To mitigate this issue, the _getBeneficiaryIndex function should be updated to ensure that it does not return an uninitialized value. The best practice is to revert if the beneficiary is not found before attempting to return any value.

function _getBeneficiaryIndex(address _beneficiary) public view returns (uint256) {

for (uint256 i = 0; i < beneficiaries.length; i++) {

if (_beneficiary == beneficiaries[i]) {

return i;

}

revert BeneficiaryNotFound();

}

Key Fixes

Removed the found boolean: Instead of tracking whether the beneficiary is found, the function now immediately returns the index when a match is found.
Ensured function always reverts if the beneficiary is not found: The function now reverts before attempting to return an index, preventing potential misuse of an uninitialized variable.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.