Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

If there is only one beneficiary any user can become owner

nypet

Summary

If there is only one beneficiary any user who calls the inerit function of InheritanceManager first will become the owner of the contract.

Vulnerability Details

The inherit function only cheks that the deadline is passed. If it is passed, and there is only one beneficiery it automatically makes msg.sender the owner.

The following test demonstrates the vulnerability:

address aladar = makeAddr("aladar");
address geza = makeAddr("geza");
function testArbitraryUserCannotClaimOwnership() public{
usdc.mint(address(im), 10e18);
weth.mint(address(im), 10e18);
vm.startPrank(owner);
im.addBeneficiery(aladar);
vm.stopPrank();
vm.warp(1 + 90 days);
vm.startPrank(geza);
im.inherit();
vm.stopPrank();
//user geza should not be the owner, since he is not added as a benefciery
assertNotEq(geza, im.getOwner());
}

Impact

If there is only one beneficiary anyone (who is fast enough to call the transaction after deadline) can steal all the funds from the contract.

Tools Used

Manual codereview, foundry test.

Recommendations

If it is expected that anyone can call inherit. then make sure that if there is only one beneficiary, not msg.sender becomes the owner, instead the only beneficiary becomes the owner.

Otherwise make sure, that only beneficiaries can call inherit().

Updates

Lead Judging Commences

0xtimefliez Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Inherit depends on msg.sender so anyone can claim the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.