Inheritable Smart Contract Wallet

First Flight #35

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Single beneficiary can make the contract stuck in InheritanceManager::inherit()

sala1

Summary

The function InheritanceManager::inherit() has problem if there is a single beneficiary scenario explained below.

Take a look function code below and descriptions will follow.

/**

* @dev manages the inheritance of this wallet either

* 1. the owner lost his keys and wants to reclaim this contract from beneficiaries slot0

* 2. the owner was inactive more than 90 days and beneficiaries will claim remaining funds.

function inherit() external {

if (block.timestamp < getDeadline()) {

revert InactivityPeriodNotLongEnough();

}

if (beneficiaries.length == 1) {

owner = msg.sender;

_setDeadline();

} else if (beneficiaries.length > 1) {

isInherited = true;

} else {

revert InvalidBeneficiaries();

}

Vulnerability Details

The contract requires that block.timestamp >= deadline (90 days of inactivity) before inheritance can happen.

Single Beneficiary Case:

If there is exactly one beneficiary in the beneficiaries array, that single beneficiary becomes the new owner:

owner = msg.sender;

_setDeadline();

After this line, owner is updated from the original owner to the single beneficiary.

When there is only one beneficiary and they become the new owner, the entire contract depends on that single address. If the new owner/beneficiary loses their private key, there’s no additional fallback mechanism.

Consider this Scenario

Initial Setup
- Owner: John doe1
- Beneficiary: Jane (only one)
- No other beneficiaries
After 90 Days
- John doe1 doesn’t access the contract, so Jane calls inherit().
- Since beneficiaries.length == 1, Jane becomes the new owner.
Jane Loses Her Key
- Now, Jane (the new owner) cannot access the contract.
- No one else is listed as a beneficiary.
- No new transactions can happen because Jane alone can call the owner-only functions, and Jane’s lost her keys

Impact

Funds stuck and nobody can interact with the contract.

Tools Used

Manual review.

Recommendations

Let single beneficiary add backup (require backups as part of the logic)

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

211

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.