Submission Details
Severity:
Missing msg.sender Check Allows Unauthorized Ownership Transfer
Description: InheritanceManager::inherit lacks a proper check to ensure that only legitimate beneficiaries can call it. As a result, any caller can trigger the line 'owner = msg.sender'.
Impact: This vulnerability enables any arbitrary address to assume ownership of the contract by calling InheritanceManager::inherit, representing a critical security risk.
Recommended Mitigation: Introduce a modifier (e.g., 'onlyBeneficiary') to restrict access to beneficiaries only:
modifier onlyBeneficiary() {
bool isBeneficiary = false;
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (beneficiaries[i] == msg.sender) {
isBeneficiary = true;
break;
}
}
require(isBeneficiary, "Caller is not a beneficiary");
_;
}
Apply this modifier to the InheritanceManager::inheritas needed.
Updates
Lead Judging Commences
0xtimefliez 4 months ago
Submission Judgement Published Assigned finding tags:
Inherit depends on msg.sender so anyone can claim the contract
Rewards breakdown
nSLOC
211This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.