Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Address Zero Can Be Added as a Beneficiary, Leading to Potential Loss of Funds

ssalaudeen10

Summary

The zero address in Ethereum is a publicly accessible address. Any funds sent to it, or to any contract controlled by it, cannot be recovered. The InheritanceManager.sol::addBeneficiary function does not validate whether the new beneficiary address is the zero address. This oversight can result in a loss of funds, defeating the purpose of allowing beneficiaries to inherit funds from the contract. Although the owner can remove a beneficiary, adding the zero address should be prevented for security reasons.

Vulnerability Details

The following test demonstrates the issue and can be added to InheritanceManager.t.sol

function test_can_add_address_zero_as_beneficiary()public {
// Owner can add zero address without revert
vm.prank(owner);
im.addBeneficiery(address(0));
}

Impact

Lost or Inaccessible to funds

Tools Used

Foundry test

Recommendations

Ensure that the new beneficiary address is validated before being added. The following implementation demonstrates this fix:

contract InheritanceManager is Trustee {
+ error AddressZeroNotAllowed();
function addBeneficiery(address _beneficiary) external onlyOwner {
+ if (_beneficiary == address(0)) {revert AddressZeroNotAllowed();}
}
// Other relevant codes
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!