Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Timer Reset Failure in createEstateNFT Enabling Premature Inheritance Claims

edoscoba

Summary

The InheritanceManager contract is designed to facilitate secure asset inheritance, enforcing a 90-day inactivity period before beneficiaries can claim assets. A core assumption outlined in the project documentation is that "EVERY transaction the owner does with this contract must reset the 90 days timer." However, a flaw has been identified: when the owner calls the createEstateNFT function to mint an NFT, the 90-day timer does not reset. This violates the contract’s stated invariant and could lead to premature inheritance claims, despite the owner’s active engagement with the contract.

Vulnerability Details

The createEstateNFT function allows the owner to mint NFTs representing real-world assets. According to the project’s core assumptions, any transaction initiated by the owner such as minting an NFT should reset the 90-day inactivity timer. However, the current implementation of createEstateNFT does not trigger the _setDeadline() function (or equivalent), which is responsible for updating the timer. As a result, the contract fails to recognize this owner activity, potentially allowing the timer to expire even when the owner is actively managing the contract.

Example Scenario

Consider the following sequence of events:

Day 0: The owner interacts with the contract, resetting the timer to 90 days.
Day 89: The owner calls createEstateNFT to mint a new NFT.
Day 91: Since the timer was not reset on day 89, the inheritance mechanism is triggered, allowing beneficiaries to claim assets.

In this case, the owner’s recent activity (minting an NFT) is not accounted for, leading to an incorrect assumption of inactivity and premature access to the contract’s assets by beneficiaries.

Impact

The failure to reset the timer when the owner calls createEstateNFT has the following consequences:

Premature Inheritance Claims: Beneficiaries may gain access to the contract’s assets before the owner has truly been inactive for 90 days, violating the contract’s intended security mechanism.
Misalignment with Owner Intent: The owner’s active management of the contract (e.g., minting NFTs) is not reflected in the timer, potentially leading to unintended asset transfers.
Operational Risk: The flaw introduces uncertainty into the contract’s behavior, as the timer may not accurately represent the owner’s engagement, increasing the risk of disputes or operational errors.

Tools Used

Recommendations

Update the createEstateNFT Function
Modify the createEstateNFT function to call _setDeadline() (or the equivalent function that resets the timer) after minting the NFT. This ensures that the timer is updated whenever the owner interacts with the contract, including when creating an NFT.

Updated Code Example:

function createEstateNFT(string memory _description, uint256 _value, address _asset) external onlyOwner {

uint256 nftID = nft.createEstate(_description);

nftValue[nftID] = _value;

assetToPay = _asset;

_setDeadline(); // Reset the 90-day timer

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

functions do not reset the deadline

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.