No checks whether an Airdrop has been claimed or not
Summary
Lack of checking whether an Airdrop has been claimed allows attackers to claim an airdrop again
Vulnerability Details
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
}
The function claim emits Claimed but there is not check whether or not the Airdrop has been claimed before allowing multiple people to claim the Airdrop thus breaking the contract
I am not even sure if this is possible tbh
At least someone might try to claim an airdrop but might not be able to because it has already been Claimed but there is not error
Impact
The impact of this vulnerability is severe, as it allows an attacker to claim an airdrop again which leads to resource depletion and less people can benefit from the airdrop
Tools Used
Manual review
Recommendations
Maybe add a require statement to check whether the Airdop has been claimed or not
require(!Claimed[leaf], "MerkleAirdrop__AlreadyClaimed");
Lead Judging Commences
multi-claim-airdrop
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.