Summary

The claimDistribution function in the MerkleDistributor contract is vulnerable to exploitation due to a lack of controls over claim amounts and the absence of checks against reusing merkle proof nodes.

Vulnerability Details

The claimDistribution function is designed to allow users to claim their allotted tokens from a token distribution. However, the function has critical flaws:

It does not impose a limit on the claim amounts, allowing users to potentially drain the entire distribution by repeatedly claiming with incrementally higher amounts.

It fails to verify whether the node of a merkle proof has already been used for a claim, permitting a user to claim multiple times with different amounts using the same merkle proof. This oversight allows for the possibility of a user draining more funds than they are entitled to.

Impact

These vulnerabilities can lead to severe consequences for the token distribution process:

A single user could deplete all tokens intended for distribution, denying other rightful recipients their share.

The integrity of the distribution is compromised as the contract does not accurately track the amount of tokens each user has claimed.

Users may be able to claim tokens multiple times, effectively exploiting the system and potentially leading to a loss of trust in the token distribution process.

Tools Used

Manual Review

Recommendations

To mitigate these risks, implement the following controls:

Enforce a check that the claimed amount cannot exceed the user's allotted amount, thus preventing any user from claiming more than their fair share.
Introduce a mechanism to mark merkle proof nodes as used after a successful claim, thereby preventing the reuse of merkle proofs for claiming additional amounts.
Correct the logic that allows for the claimed amount to be reset to 0, ensuring that the claimed tokens are properly accounted for and cannot be manipulated.