Mitigating Arbitrary Send ERC20 Vulnerability in Airdrop Functionality
Summary
The a critical vulnerability related to the transferFrom function in the ERC20 token contract, which could allow an attacker to arbitrarily send tokens from the airdrop vault to any address.
Vulnerability Details
Arbitrary Send ERC20 (High Severity)
Finding: The
Airdrop.claim()function inAirdrop.soluses an arbitraryfromaddress in thetransferFrommethod, which could be exploited by an attacker.Location:
Airdrop.claim()(src/Airdrop.sol#51-89)Code Snippet:
Description
The transferFrom function is designed to allow a spender to transfer tokens on behalf of the token owner. However, in the current implementation, the from address is hardcoded to address(airdropVault), which means that any user can trigger the transfer of tokens from the airdrop vault to their own address without having control over the original from address.
Impact
This vulnerability could enable an attacker to drain funds from the airdrop vault by repeatedly calling the claim function and redirecting the transferred tokens to their own address. This could have severe financial implications for the project and its participants.
Tools Used
Recommendations
To mitigate this vulnerability, the transferFrom function should be modified to use msg.sender as the from address. This change ensures that only the caller of the claim function can initiate the transfer of tokens from their own address. Additionally, proper checks should be implemented to verify that the caller has an adequate allowance set by the token owner.
Here is the corrected code snippet:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.