Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

assetToPay Overwrites Payment Asset for All NFTs

adepoju2006

Summary

The createEstateNFT function in the Inheritance Manager contract suffers from a global variable overwrite vulnerability in how it assigns payment assets for estate NFTs. Instead of storing the assetToPay per NFT, it uses a single global variable, meaning that each newly created NFT overwrites the payment asset for all previously created NFTs.

This flaw allows an attacker to manipulate the contract, making expensive estate NFTs accept worthless tokens instead of legitimate assets (e.g., USDC, ETH, or DAI), resulting in financial loss for the system and its users.

Vulnerability Details

The issue arises because the contract stores only one instance of assetToPay, which gets updated every time a new estate NFT is created. Here’s the vulnerable function:

function createEstateNFT(string memory _description, uint256 _value, address _asset) external onlyOwner {
uint256 nftID = nft.createEstate(_description);
nftValue[nftID] = _value;
assetToPay = _asset; // ❌ BUG: Overwrites previous assetToPay
}

🔴 Problem:

  • assetToPay is not linked to nftID, meaning that when a new NFT is created, it overwrites the asset required for all previous NFTs.

  • If an estate NFT was initially set to accept USDC, and a new NFT is created to accept a worthless token, then all NFTs—including the expensive ones—now also accept that worthless token.

How an Attacker Exploits This

  1. Step 1: A legitimate user creates an estate NFT that accepts USDC as the payment asset.

  2. Step 2: The attacker creates a new estate NFT, but sets its payment asset to a worthless or fake token.

  3. Step 3: Since assetToPay is global, the expensive NFT now accepts the fake token instead of USDC.

  4. Step 4: The attacker buys the expensive NFT using their worthless token, stealing the asset for free.

Impact

🔹 Financial Loss: Valuable estate NFTs can be purchased with worthless tokens, leading to loss of funds for legitimate users.
🔹 Contract Manipulation: Any new NFT creation changes the entire system's payment rules, leading to unpredictable behavior.
🔹 Breaks Intended Security Model: The contract fails to enforce asset constraints, making inheritance payments unreliable.

Tools Used

Manuel Review

Recommendations

✅ Fix: Store assetToPay Per NFT ID

Instead of using a single global variable, store assetToPay in a mapping, indexed by nftID.

Fixed Code

mapping(uint256 => address) public assetToPay; // ✅ Store per NFT
function createEstateNFT(string memory _description, uint256 _value, address _asset)
external onlyOwner
{
uint256 nftID = nft.createEstate(_description);
nftValue[nftID] = _value;
assetToPay[nftID] = _asset; // ✅ Fix: Each NFT has its own payment asset
}

Conclusion

This vulnerability compromises the integrity of the inheritance system by allowing any NFT's payment method to be manipulated. By storing assetToPay per NFT ID, we prevent this exploit and ensure each estate NFT retains its intended payment asset. 🚀

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

global asset in NFT values

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.