Inheritable Smart Contract Wallet

Description

The withdrawInheritedFunds() function in the InheritanceManager contract contains a critical vulnerability related to the handling of empty beneficiary slots. When a beneficiary is removed using the removeBeneficiary() function, their address is replaced with address(0) (the zero address), but the slot remains in the array.

The withdrawInheritedFunds() function uses the length of the beneficiary array to calculate division and distribution:

This creates two serious issues:

1. The divisor calculation includes deleted beneficiaries, leading to incorrect per-beneficiary amounts

2. The function attempts to transfer assets to address(0) when it encounters deleted slots

Impact

This vulnerability has significant implications:

1. Incorrect Distribution Amounts: Including empty slots in the divisor means active beneficiaries receive less than their fair share.

2. Potential Token Loss: For many ERC20 tokens, transfers to address(0) are either:

   • Burned permanently (tokens with burn-on-transfer-to-zero mechanisms)

   • Locked forever (tokens without burn mechanics but no zero-address access)

3. Transaction Failures: Some ERC20 tokens explicitly prevent transfers to address(0), causing the entire transaction to revert.

4. ETH Sent to Void: When transferring ETH, sending to address(0) means those funds are permanently lost (effectively burned).

Recommendation

1. Implement proper handling of empty beneficiary slots

2. Additionally, update the removeBeneficiary function to properly handle array manipulation

Tools Used

• Foundry Testing Framework

• Transaction Trace Analysis

• Manual Code Review