Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect Beneficiary Index Retrieval in InheritanceManager Contract

osuolale

Summary

The _getBeneficiaryIndex function, used as a helper for removeBeneficiary, has a critical flaw: if the specified _beneficiary address is not found in the beneficiaries array, it silently returns 0 instead of indicating an error. This causes the first beneficiary (at index 0) to be incorrectly targeted for removal, undermining the owner’s intent and disrupting the inheritance structure.

Vulnerability Details

The vulnerable code is in the _getBeneficiaryIndex function:

solidity

/**
* @dev takes beneciciary address and returns index as a helper function for removeBeneficiary
* @param _beneficiary address to fetch the index for
*/
//@audit-issue k checks if the address is not availabe in the array, the array will return 0 and cause the beneficiary at index 0 to lose it benefit
function _getBeneficiaryIndex(address _beneficiary) public view returns (uint256 _index) {
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (_beneficiary == beneficiaries[i]) {
_index = i;
break;
}
}
}

Silent Default Return:

  • The function initializes _index to 0 implicitly (Solidity’s default for uint256).

  • If the loop completes without finding _beneficiary, it returns 0 instead of signaling that the address wasn’t found.

  • This falsely indicates that the beneficiary at index 0 should be acted upon.

  • Dependency in removeBeneficiary:

    • The removeBeneficiary function relies on _getBeneficiaryIndex:

      solidity

      function removeBeneficiary(address _beneficiary) external onlyOwner {
      uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);
      delete beneficiaries[indexToRemove];
      }

    • If _beneficiary isn’t in the array, index 0 is deleted, removing the first beneficiary instead of reverting or skipping the operation.

  • No Validation:

    • There’s no check to confirm whether the returned index corresponds to the actual _beneficiary, allowing unintended removals.

Impact

Incorrect Beneficiary Removal: The first beneficiary (index 0) loses their inheritance rights if an invalid address is passed, violating the owner’s intent.

  • Inheritance Disruption: Subsequent operations (e.g., withdrawInheritedFunds) treat address(0) as a valid beneficiary, potentially sending funds to the zero address or skewing distribution calculations.

  • Owner Confusion: The owner may unknowingly remove the wrong beneficiary, with no indication of the error, reducing trust in the contract’s reliability.

  • Potential Exploitation: While not directly exploitable by external parties due to onlyOwner, it could lead to accidental fund loss if the owner mistakenly inputs an incorrect address.

Tools Used

Manual review

Recommendations

Modify _getBeneficiaryIndex to explicitly validate the beneficiary’s presence and revert if not found. Here’s a corrected version:

solidity

/**
* @dev takes beneficiary address and returns index as a helper function for removeBeneficiary
* @param _beneficiary address to fetch the index for
*/
function _getBeneficiaryIndex(address _beneficiary) public view returns (uint256 _index) {
for (uint256 i = 0; i < beneficiaries.length; i++) {
if (_beneficiary == beneficiaries[i]) {
return i;
}
}
revert("Beneficiary not found");
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.