The original owner retains control after `isInherited` is set to `true`, allowing them to reset the timer
Summary
After the contract has been inherited (isInherited = true), the original owner still retains control over the contract. This means the owner can call functions like sendETH or sendERC20, which reset the timer, potentially preventing beneficiaries from accessing funds
Finding Description
In the inherit() function, if there's more than one beneficiary, it sets isInherited = true. But after that, the owner is still the original owner.
However, the onlyOwner functions can still be called by the original owner. This is a problem because after inheritance, the owner shouldn't be able to reset the timer or perform actions. But according to the code, the original owner can still call functions like sendERC20, which reset the deadline and move funds. This violates the intended behavior that after 90 days of inactivity, beneficiaries can take over. The core invariant "After the 90 days only the beneficiaries get access to the funds" is not enforced. The original owner can still interact,
Impact Explanation
it allows the original owner to retain control over the contract after inheritance. This could prevent beneficiaries from accessing funds, because after the 90 days mark the ownerr can still interact those functions and reset the deadline till infinity.
Likelihood Explanation
The likelihood of this vulnerability being encountered is high because it affects the isInherited state variable, which is used to determine access control. Any time the contract is inherited, the original owner could still retain control and reset the timer.
Recommendation
To fix this issue, the contract should transfer ownership to the beneficiaries or lock owner functions after inheritance.for example:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.