Submission Details
Severity:
Owner can still access the fund after deadline, which is against `After the 90 days only the beneficiaries get access to the funds`
Description: The InheritanceManager contract allows the owner to access the funds after the deadline and after the inheritance has been triggered.
This is against the core assumption that after the 90 days, only the beneficiaries should have access to the funds.
Impact: This issue allows the owner to drain the contract of funds after the deadline, even though the contract should be inherited by the beneficiaries.
Proof of Concept: Add the following test and run it
function test_owner_drain_after_deadline() public {
vm.deal(address(im), 1 ether);
vm.startPrank(owner);
im.addBeneficiery(beneficiary1);
im.addBeneficiery(beneficiary2);
im.addBeneficiery(beneficiary3);
vm.stopPrank();
vm.warp(im.getDeadline());
im.inherit();
vm.prank(owner);
im.sendETH(1 ether, owner);
assertEq(address(im).balance, 0);
assertEq(owner.balance, 1 ether);
}
Recommended Mitigation:
restrict the owner from accessing the funds after the deadline.
error NotOwnerBeforeDeadline(address);
...
modifier onlyOwnerBeforeDeadLine() {
if (msg.sender != owner || block.timestamp >= getDeadline()) {
revert NotOwnerBeforeDeadline(msg.sender);
}
_;
}
...
function sendERC20(address _tokenAddress, uint256 _amount, address _to) external nonReentrant onlyOwnerBeforeDeadLine{
...
}
function sendETH(uint256 _amount, address _to) external nonReentrant onlyOwnerBeforeDeadLine{
...
}
function contractInteractions(address _target, bytes calldata _payload, uint256 _value, bool _storeTarget) external nonReentrant onlyOwnerBeforeDeadLine{
...
}
function createEstateNFT(string memory _description, uint256 _value, address _asset) external onlyOwnerBeforeDeadLine{
...
}
function addBeneficiery(address _beneficiary) external onlyOwnerBeforeDeadLine{
...
}
function removeBeneficiary(address _beneficiary) external onlyOwnerBeforeDeadLine{
...
}
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.