Permanent DoS in buyOutEstateNFT() and withdrawInheritedFunds() due to beneficiary being blacklisted
Summary
In the InheritanceManager.sol the withdrawInheritedFunds() and buyOutEstateNFT() functions, are vulnerable to a potential Denial of Service (DoS) if an asset (e.g., USDC) enforces blacklisting. If a beneficiary is blacklisted, transfers will fail, potentially locking funds permanently within the contract.
Vulnerability Details
Affected code:
Both functions transfer asset to a number of beneficiaries:
The
withdrawInheritedFunds()calculates and transfers the amount of inherited funds for each beneficiary in the contract.The
buyOutEstateNFT()calculates and transfers the amount to pay to other beneficiaries for buying their share of the NFT.
However, when one of those beneficiaries gets blacklisted (if token like USDC is used as an asset) then other beneficiaries will not be able to claim their fair funds leading to a DoS.
Impact
Denial of Service (DoS): Blacklisted addresses cause transaction failure, preventing asset distribution.
Functional disruption: Beneficiaries may be unable to withdraw their rightful inheritance or complete NFT buyouts.
Tools Used
Manual review
Recommendations
I would recommend implementing the "pull over push" method by creating a mapping which tracks a beneficiaries balance of certain asset (user => token => balance) => mapping (address => (mapping (address => uint256) )).
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.