Failure to Reset Timer in contractInteractions Enabling Premature Inheritance Claims
Summary
The InheritanceManager contract is designed to facilitate secure asset inheritance, enforcing a 90-day inactivity period before beneficiaries can claim assets. A critical flaw has been identified in the contractInteractions function: it does not call _setDeadline() after a successful interaction, failing to reset the 90-day inactivity timer. This violates the contract’s core assumption that "EVERY transaction the owner does with this contract must reset the 90 days timer." As a result, the owner's activity is not accurately reflected, potentially allowing beneficiaries to claim inheritance prematurely despite recent owner engagement.
Vulnerability Details
The contractInteractions function enables the owner to interact with external contracts, such as managing assets or performing operations on behalf of the InheritanceManager contract. However, the function lacks a call to _setDeadline(), which is responsible for resetting the 90-day inactivity timer. Consequently, when the owner uses this function, the timer remains unchanged, incorrectly suggesting prolonged inactivity.
Example Scenario
Consider the following sequence of events:
Day 0: The owner interacts with the contract via another function, resetting the timer to 90 days.
Day 89: The owner calls
contractInteractionsto manage an external contract.Day 91: Since the timer was not reset on day 89, beneficiaries can trigger the inheritance process, claiming assets despite the owner's recent activity.
In this case, the contract fails to recognize the owner's interaction via contractInteractions, allowing the inheritance mechanism to activate prematurely.
Impact
The failure to reset the timer in the contractInteractions function has significant consequences:
Premature Inheritance Claims: Beneficiaries may gain access to the contract’s assets before the owner has been inactive for the full 90 days, violating the contract’s security mechanism.
Misrepresentation of Owner Activity: The contract incorrectly assumes inactivity, even when the owner is actively managing external contracts, leading to unintended asset transfers.
Operational and Financial Risk: The owner could lose control of assets unexpectedly, resulting in financial losses or operational disruptions.
Tools Used
Recommendations
1 . Update the contractInteractions Function
Modify the function to call _setDeadline() after a successful external interaction. This ensures the timer is reset whenever the owner interacts with external contracts.
-
Updated Code Example:
function contractInteractions(address _target, bytes memory _data, uint256 _value) external onlyOwner nonReentrant {(bool success, ) = _target.call{value: _value}(_data);require(success, "External call failed");_setDeadline(); // Reset the 90-day timer}2.Implement a Modifier for Consistency
Create a resetDeadline modifier that automatically calls_setDeadline()for owner-initiated functions. This reduces the risk of similar oversights in other functions.-
Modifier Example:
modifier resetDeadline() {_;_setDeadline();} -
Usage in Function:
function contractInteractions(address _target, bytes memory _data, uint256 _value) external onlyOwner nonReentrant resetDeadline {(bool success, ) = _target.call{value: _value}(_data);require(success, "External call failed");}
-
Lead Judging Commences
functions do not reset the deadline
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.