Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Early Termination of Distribution Loop in buyOutEstateNFT()

adepoju2006

Summary

The buyOutEstateNFT() function in ingeritancemanager.sol contains a return statement inside a loop, which prematurely stops the iteration when msg.sender is found in the beneficiaries array. As a result, any beneficiaries after msg.sender in the array do not receive their fair share of the funds, leading to loss of inheritance distribution.

Vulnerability Details

📌 Vulnerable Code in buyOutEstateNFT(``)

for (uint256 i = 0; i < beneficiaries.length; i++) {

if (msg.sender == beneficiaries[i]) {

return; // 🚨 EARLY EXIT! Stops fund distribution to later beneficiaries.

} else {

IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);

}

❌ What is Wrong?

The function loops through the beneficiaries to distribute funds.
When msg.sender (the buyer) is found in the array, the loop stops execution due to the return statement.
Any beneficiaries after msg.sender in the list will not receive their share.
This leads to unfair and incomplete inheritance payouts.

Impact

1️⃣ Some Beneficiaries Do Not Get Their Share

If a beneficiary calls buyOutEstateNFT() to purchase an estate NFT, the loop stops distributing funds once it finds them in the list.
This results in other beneficiaries losing their rightful inheritance.

2️⃣ Funds Can Be Stuck in the Contract

If the contract has an uneven number of beneficiaries, a portion of the funds may remain unclaimed.

Tools Used

Manuel Review

🚀 Proof of Concept (PoC)

📜 Given: List of Beneficiaries

beneficiaries = [0xAAA, 0xBBB, 0xCCC, 0xDDD];

Let's say:

msg.sender = 0xCCC (the buyer calling buyOutEstateNFT).
The loop starts from index 0.

🛑 Incorrect Execution (Current Code)

Step	Current Beneficiary	Action Taken
1️⃣	`0xAAA`	✅ Paid
2️⃣	`0xBBB`	✅ Paid
3️⃣	`0xCCC` (msg.sender)	❌ Loop Stops! (return executed)
4️⃣	`0xDDD`	❌ Never Reached!

🔴 Result: 0xDDD does not receive their share! The loop stops at 0xCCC.

Recommendations

🔧 Corrected Code

for (uint256 i = 0; i < beneficiaries.length; i++) {

if (msg.sender != beneficiaries[i]) { // ✅ Skip buyer but continue loop

IERC20(assetToPay).safeTransfer(beneficiaries[i], finalAmount / divisor);

}

✅ Correct Execution (Fixed Code)

Step	Current Beneficiary	Action Taken
1️⃣	`0xAAA`	✅ Paid
2️⃣	`0xBBB`	✅ Paid
3️⃣	`0xCCC` (msg.sender)	⏩ Skipped (Not Paid)
4️⃣	`0xDDD`	✅ Paid!

🟢 Result: Now all eligible beneficiaries except the buyer receive their fair share.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

buyOutNFT has return instead of continue

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.