InheritanceManager::contractInteractions() Core Assumptions might not hold under certain sequence
Summary
Scenario: The owner could interact with another contract using the
contractInteractions function. Since contractInteractions does not call _setDeadline(), the 90-day timer would not be reset. This could lead to beneficiaries being able to trigger the inherit() function prematurely, even though the owner has been actively using the contract.
Vulnerability Details
Core assumptions state that:
## Core Assumptions and Invariants
1. EVERY transaction the owner does with this contract must reset the 90 days timer
2. Noone can take ownership of this contract before the 90 days timelock is over
Violation Scenario:
The owner deploys the contract and adds beneficiaries. The deadline is set.
Over a period of 89 days, the owner exclusively uses contractInteractions to interact with other contracts. The owner never uses createEstateNFT, addBeneficiery, removeBeneficiary, sendERC20, or sendETH.
The deadline expires.
The beneficiaries, seeing that the owner hasn't used those other functions for 90 days, and being aware that the owner has used contractInteraction, incorrectly call inherit().
Since the deadline has passed, the inherit() function proceeds, transferring ownership/enabling inheritance despite the owner having actively used the contract (only through contractInteractions).
Impact
Invalidation of Assumptions and Invariants
Tools Used
Manual review
Recommendations
Call _setDeadline() in contractInteractions to ensure every owner-initiated transaction resets the timer.
Lead Judging Commences
functions do not reset the deadline
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.