Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Broken Access Control in `onlyBeneficiaryWithIsInherited` Modifier

albert

Summary

The onlyBeneficiaryWithIsInherited modifier fails to properly enforce the "only inherited-state beneficiaries" restriction, allowing unauthorized access to critical functions even after fixing the array out-of-bounds issue.

Vulnerability Details

Missing Explicit Validation:
- The modifier uses a loop to check if msg.sender is a beneficiary but does not explicitly validate the result after the loop. Even if msg.sender is not a beneficiary, execution continues, permitting unauthorized calls.
- Example: A non-beneficiary address bypasses the check because the loop completes without reverting.
Ignored isInherited State:
- The modifier does not verify the isInherited flag outside the loop. Even if isInherited is false, calls from beneficiaries are allowed.
Unhandled Empty Beneficiaries:
- If beneficiaries.length == 0, the loop is skipped entirely, granting unrestricted access to any caller.

Impact

Unauthorized users can invoke protected functions (e.g., buyOutEstateNFT, appointTrustee), leading to:
- Theft of NFT-backed assets.
- Malicious trustee appointments.
- Disruption of inheritance processes.

Tools Used

Manual code review
Slither static analysis (to detect missing access controls)

Recommendations

Add Explicit Checks:

modifier onlyBeneficiaryWithIsInherited() {
require(beneficiaries.length > 0, "No beneficiaries");
bool isBeneficiary = false;
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (msg.sender == beneficiaries[i]) {
isBeneficiary = true;
break;
}
}
require(isBeneficiary && isInherited, "Not beneficiary or inactive inheritance");
_;
}
Optimize with Mappings:
Replace the beneficiaries array with a mapping for O(1) lookups:

mapping(address => bool) public isBeneficiary;
modifier onlyBeneficiaryWithIsInherited() {
require(isInherited, "Inheritance inactive");
require(isBeneficiary[msg.sender], "Not beneficiary");
_;
}
State Consistency:
Ensure isInherited is validated independently of the loop logic.

This merged issue captures the critical flaws in the modifier’s access control mechanism, prioritizing fixes to prevent unauthorized access and inheritance system compromise.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.