Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[M-2] removeBeneficiary Uses delete Which Leaves Zero Address in Array

d33p

Summary

The removeBeneficiary function uses the delete operator to remove beneficiaries, which replaces the address with address(0) rather than removing the array element. This can lead to funds being distributed to the zero address during inheritance, effectively burning those funds.

Vulnerability Details

When removing a beneficiary, the function replaces the address with address(0) instead of properly removing the element from the array:

function removeBeneficiary(address _beneficiary) external onlyOwner {

uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);

delete beneficiaries[indexToRemove];

}

This creates several issues:

The zero address remains in the beneficiaries array
During fund distribution in withdrawInheritedFunds, tokens or ETH will be sent to the zero address
The divisor used to calculate shares remains unchanged

Impact

This vulnerability could lead to:

Permanently lost funds when distributed to the zero address
Incorrect calculation of inheritance shares
Potential denial of service if many addresses are removed, as the array maintains its original length
Unexpected behavior in other functions that rely on the beneficiaries array

This is rated as medium severity because it can lead to permanent loss of funds during inheritance distribution, but requires specific actions (removing a beneficiary without replacing them) to trigger.

Tools Used

Manual code review

Recommendations

Implement a proper array element removal technique that preserves array integrity:

function removeBeneficiary(address _beneficiary) external onlyOwner {

uint256 indexToRemove = _getBeneficiaryIndex(_beneficiary);

// Verify that the beneficiary exists

require(beneficiaries[indexToRemove] == _beneficiary, "Beneficiary not found");

// Move the last element to the position of the removed element

beneficiaries[indexToRemove] = beneficiaries[beneficiaries.length - 1];

// Remove the last element

beneficiaries.pop();

// Reset the deadline

_setDeadline();

}

This approach maintains array integrity, ensures no zero addresses in the beneficiaries list, and properly resets the deadline to maintain the security model.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect removal from beneficiary list causes funds to be send to 0 address

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.