Inheritable Smart Contract Wallet

Summary

The NFTFactory contract contains a critical vulnerability where the inheritanceManager can burn NFTs even after they have been transferred to another user. This violates ownership principles, allowing unauthorized destruction of user-owned assets.

Vulnerability Details

Issue: Unrestricted Burn Function

• The burnEstate(uint256 _id) function allows the inheritanceManager to burn any NFT, regardless of ownership.

• There is no ownership or approval check before executing _burn(_id).

• As a result, even if a user (user1) owns the NFT, inheritanceManager can still burn it.

Who Can Exploit This?

• A regular user (someone who is neither the inheritanceManager nor an approved operator) CANNOT exploit this.

• However, the inheritanceManager can burn any estate (NFT) it previously minted, even after transferring ownership.

Why Is This a Real Bug?

• Ownership Violation: The contract does not enforce ownership or approval checks before burning an NFT.

• Centralized Control: Even after the NFT is transferred, the inheritanceManager still has full power to burn it.

• User Impact: If the inheritanceManager is malicious or compromised, it can arbitrarily destroy other users’ NFTs, violating user trust and asset integrity.

Impact

🚨 Critical - High Severity 🚨

• Unauthorized asset destruction: Users can lose their NFTs without their approval.

• Loss of trust: The contract does not protect user-owned assets.

• Potential malicious behavior: A compromised or malicious inheritanceManager can arbitrarily burn NFTs.

Attack Scenario

• inheritanceManager creates an estate (NFT).

• The NFT is transferred to a user (user1).

• Later, inheritanceManager calls burnEstate(tokenId), even though they no longer own it.

• The NFT gets burned, and user1 loses their asset.

The Vulnerable Code:

Tools Used

Manual Review

Recommendations

Fix: Restrict Burning to Owners or Approved Operators

Modify the burnEstate function to check if the caller is the current owner or an approved operator: