Lack of Nonce Verification in claim Function Facilitating Replay Attacks
Summary
The create function is vulnerable to a replay attack due to lacking a nonce verification. there is no reason a a merkle proof if anyone can replay it.
Vulnerability Details
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
}
Specifically in this line
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
Although there is merkle proof, there is no prevention of a replay attack due to a lack of nonce
This defeats the purpose fo using a merkle proof
Impact
The impact of this vulnerability is severe, as it allows an attacker to claim someone elses tokens and breaks the contract.
Tools Used
Manual review
Recommendations
Consider using a nonce or other signature replay protection in the TMerkleAirdrop contract.
Lead Judging Commences
multi-claim-airdrop
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.