Inheritable Smart Contract Wallet

Description:

The appointTrustee function allows any beneficiary to appoint anyone (including themselves) as Trustee without requiring consensus from other beneficiaries:

This function has critical issues:

• It can be called by any beneficiary after inheritance mode is activated

• There's no mechanism to prevent a single beneficiary from appointing themselves

• Any beneficiary can continuously overwrite the Trustee assignment

• No consensus mechanism exists among beneficiaries

Once appointed, the Trustee gains significant powers that can manipulate the inheritance distribution:

These powers allow a malicious Trustee to control NFT valuation and payment currency, which directly impacts the ability of beneficiaries to buy out NFTs in the buyOutEstateNFT() function.

Impact:

• Complete control over NFT distribution: A malicious beneficiary can manipulate NFT pricing to make it impossible for others to buy out valuable NFTs.

• Price manipulation: A Trustee can set an artificially low value for an NFT they want and a high value for others.

• Currency gatekeeping: By selecting an obscure or inaccessible token as assetToPay, the Trustee can effectively prevent others from completing buyouts.

• Continuous control battle: Multiple beneficiaries may engage in a "transaction war," constantly overwriting the Trustee assignment, resulting in high gas costs and protocol instability.

• Centralization of power: The mechanism allows a single actor to control the distribution of potentially high-value assets, defeating the purpose of fair multi-party inheritance.

Recommended Mitigation:

• Implement a multi-signature or voting mechanism for Trustee assignment

• Require that value changes are within reasonable bounds (e.g., ±20%) with timelock to the next possible value revision (f.e. 30 days)