Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Potential Denial of Service (DOS) Due to Blacklisted Address

ekene

Summary:
If any beneficiary’s address is blacklisted in the payment asset, functions such as InheritanceManager::buyOutEstateNFT and InheritanceManager::withdrawInheritedFunds will revert inside a loop—effectively locking out these functionalities.

Vulnerability Details:
Within the functions, a revert is triggered inside a loop when encountering a blacklisted address. This can cause the entire function to become uncallable.

Test & Code Example
function test__One_Address_Can_lockup_buyOutEstateNFT() public {
_addDelegates();
im.createEstateNFT(_description, asset_value, address(usdc));
vm.startPrank(user3);
usdc.mint(user3, 1000e18);
usdc.approve(address(im), 1000e18);
vm.warp(block.timestamp + 95 days);
im.inherit();
vm.expectRevert();
im.buyOutEstateNFT(1);
}

Impact:
High – The function can be intentionally locked, causing a denial of service.

Tools Used:
slither, aderyn, foundry

Recommendations:
When iterating over beneficiaries, use a try-catch block to handle transfer failures rather than reverting the entire loop.

Diff Recommendation
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (msg.sender == beneficiaries[i]) {
return;
} else {
- IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);
+ try IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor) {
+ } catch {
+ emit TransferFailed(beneficiaries[i], finalAmount / divisor);
+ }
}
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!