The removeBeneficiary()
function employs delete beneficiaries[index]
, which only zeroes out the address at that index but does not reduce the beneficiaries
array’s length. Subsequently, withdrawInheritedFunds()
relies on the full array length for distributing funds to beneficiaries.
Because the array length remains unchanged and still includes the “deleted” slot, the portion of inheritance meant for that slot is sent to the zero address (address(0)
) instead. This results in a permanent and non-recoverable loss of funds.
In Solidity, delete beneficiaries[index]
replaces the specified index with address(0)
but leaves the array length intact. As a result, any looping distribution—for example:
will distribute one share to beneficiaries[i]
even when beneficiaries[i] == address(0)
. Thus, that share is effectively “burned,” and legitimate beneficiaries receive less total distribution.
Once funds are directed to the zero address, they are irretrievably lost, lowering the actual inheritance for valid beneficiaries. If the contract handles significant Ether or token amounts, these losses could be considerable.
Manual Anlaysis.
Remove a beneficiary by updating array structure rather than simply zeroing out the address. A common, safe pattern involves swapping the last element into the removed spot and then using .pop()
to shorten the array
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.