Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Improper Beneficiary Removal in InheritanceManager Contract

osuolale

Summary

The removeBeneficiary function in the InheritanceManager contract, intended to remove a beneficiary from the beneficiaries array, contains a critical flaw. Instead of properly removing the entry and reducing the array length, it only sets the specified index to address(0) using the delete keyword. This leaves address(0) as a valid beneficiary, potentially allowing unintended parties to receive inherited funds and disrupting the inheritance logic.

Vulnerability Details

The vulnerable code is in the removeBeneficiary function:

solidity

function removeBeneficiary(address _beneficiary) external onlyOwner {
uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);
delete beneficiaries[indexToRemove];
}

Incorrect Array Management:

  • The delete keyword in Solidity resets the value at beneficiaries[indexToRemove] to its default value (address(0) for an address type) but does not shift elements or reduce the array's length.

  • This leaves the array with the same length, now containing address(0) at the removed index.

Dependent Logic:

  • The beneficiaries array is used in functions like withdrawInheritedFunds and buyOutEstateNFT, which iterate over its length and distribute assets to all entries, including address(0) if present.

  • For example, in withdrawInheritedFunds:

    solidity

    uint256 divisor = beneficiaries.length;
    uint256 amountPerBeneficiary = ethAmountAvailable / divisor;
    for (uint256 i = 0; i < divisor; i++) {
    address payable beneficiary = payable(beneficiaries[i]);
    (bool success,) = beneficiary.call{value: amountPerBeneficiary}("");
    require(success, "something went wrong");
    }

    If beneficiaries[i] is address(0), ETH will be sent to the zero address, potentially locking funds or causing unexpected behavior.

Impact

  • Funds Misallocation: ETH or ERC20 tokens intended for legitimate beneficiaries may be sent to address(0), effectively burning them or making them inaccessible, depending on the network.

  • Inheritance Disruption: The presence of address(0) in the beneficiaries array skews calculations (e.g., division in withdrawInheritedFunds or buyOutEstateNFT), potentially reducing payouts to valid beneficiaries or causing unexpected reverts.

  • Security Risk: An attacker could exploit this if they predict or manipulate conditions where address(0) receiving funds benefits them indirectly (e.g., via gas refunds or external contract interactions), though this is less likely.

  • Owner Intent Violation: The owner’s intention to revoke a beneficiary’s access is not fully realized, as the slot remains occupied.

Tools Used

Manual Review

Recommendations

To fix this vulnerability, implement proper array removal logic by shifting elements and reducing the array length. Here’s a corrected version of removeBeneficiary:

solidity

function removeBeneficiary(address _beneficiary) external onlyOwner {
uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);
require(beneficiaries[indexToRemove] != address(0), "Beneficiary not found"); // Optional: ensure beneficiary exists
// Shift elements to fill the gap
for (uint256 i = indexToRemove; i < beneficiaries.length - 1; i++) {
beneficiaries[i] = beneficiaries[i + 1];
}
// Remove the last element and reduce length
beneficiaries.pop();
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect removal from beneficiary list causes funds to be send to 0 address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.