Inheritable Smart Contract Wallet

Summary

The addBeneficiary function in the InheritanceManager contract permits the same address to be added multiple times to the beneficiaries array. This lack of uniqueness checking can lead to over-distribution of inheritance funds and flawed logic in functions that depend on the number of unique beneficiaries. As a result, beneficiaries could receive more than their intended share, disrupting the fair allocation of assets.

Vulnerability Details

In the addBeneficiary function, a provided address is appended directly to the beneficiaries array without verifying whether it already exists. This allows duplicate entries, which can distort the inheritance distribution process. For instance, if an address is added twice, it may receive double the intended inheritance when funds are disbursed.

Vulnerable Code:

Impact

• Over-distribution of Funds: A beneficiary listed multiple times would receive multiple portions of the inheritance, resulting in incorrect payouts.

• Skewed Logic: Functions designed to distribute assets equally among beneficiaries (e.g., withdrawInheritedFunds) would miscalculate shares due to the inflated array length caused by duplicates.

• Increased Gas Costs: Duplicate entries in the beneficiaries array lead to unnecessary iterations in loops, increasing transaction costs for functions processing the array.

Proof of Concept (PoC)

1. The owner calls addBeneficiary(address1) to add address1 as a beneficiary.

2. The owner calls addBeneficiary(address1) again, adding address1 a second time.

3. The beneficiaries array now contains [address1, address1].

4. When withdrawInheritedFunds executes, it divides the total funds by the array length (2), sending half to address1 twice. Consequently, address1 receives the entire inheritance instead of its intended share.

Tools Used

• Manual review

Recommendations

To address this vulnerability, ensure that each beneficiary address is unique by checking for duplicates before adding it to the array: