First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of check for `msg.sender` being `account` allows anyone to call `MerkleAirdrop::claim`

ebok21

Description:
The claim function in the MerkleAirdrop contract does not verify that the msg.sender is the same as the account parameter. This allows anyone to call the function assuming that they provide the correct account, amount and merkleProof values, as the parameter values are publicly available.

Impact:
This vulnerability enables an attacker to claim tokens on behalf of any account, potentially leading to unauthorized distribution of tokens. The tokens are only sent to the account address and not to the msg.sender's address, however it undermines the integrity of the token distribution process.

Proof of Code:
Add the following test to MerkleAirdropTest.t.sol and run forge test --zksync --mt testAnyoneCanCallClaim.

POC

function testAnyoneCanCallClaim() public {

address randomUser = makeAddr("random");

uint256 startingBalance = token.balanceOf(collectorOne);

vm.deal((randomUser), airdrop.getFee());

vm.startPrank(randomUser);

airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);

vm.stopPrank();

uint256 endingBalance = token.balanceOf(collectorOne);

assertEq(endingBalance - startingBalance, amountToCollect);

}

Recommended Mitigation:
Implement a check within the claim function to ensure that msg.sender is the same as the account parameter as shown below-

Updated Code

+ error MerkleAirdrop__NotEligibleForAirdrop();

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

+ if(msg.sender != account) {

+ revert MerkleAirdrop__NotEligibleForAirdrop();

+ }

if (msg.value != FEE) {

revert MerkleAirdrop__InvalidFeeAmount();

}

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert MerkleAirdrop__InvalidProof();

}

emit Claimed(account, amount);

i_airdropToken.safeTransfer(account, amount);

}

Tools Used: Manual Review and Foundry for POC

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.