First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

User Blacklisted

thaddeus19

[M-1] If the wallet to which the airdrop is intended is blacklisted, the call will be reverted, and the funds will remain blocked until the user can remove their wallet from the blacklist.

Description: Mainnet USDC uses a blacklist to block wallets. Therefore, if a user is added to the blacklist, they will not be able to claim the airdrop, and the money will remain locked in the contract until they are removed from the blacklist.

Impact: The money would be lost as it remains locked in the contract.

Proof of Concept:

The user is eligible for the airdrop.
For some reason or action, they are added to the USDC blacklist.
When the user calls the claim function, it will fail.

Code

This test was added in MerkleAirdrop.t.test

function testFailBalcklistAddress() public {

MockBlacListed blacklist = new MockBlacListed();

MerkleAirdrop airdrop2 = new MerkleAirdrop(merkleRoot, blacklist);

vm.deal(collectorOne, airdrop.getFee());

blacklist.blacklist(collectorOne);

vm.startPrank(collectorOne);

blacklist.transfer(address(airdrop2), amountToSend);

airdrop2.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);

}

And use this mock token for the test, and is added in MerkleAirdrop.t.test

contract MockBlacListed is ERC20 {

mapping(address => bool) internal _deprecatedBlacklisted;

modifier notBlacklisted(address _account) {

require(

!_isBlacklisted(_account),

"Blacklistable: account is blacklisted"

);

}

constructor() ERC20("BlackList Token", "BLT") {

_mint(0x20F41376c713072937eb02Be70ee1eD0D639966C, 100 * 1e6);

}

function decimals() public view virtual override returns (uint8) {

return 6;

}

function isBlacklisted(address _account) external view returns (bool) {

return _isBlacklisted(_account);

}

function blacklist(address _account) external {

_blacklist(_account);

}

function _isBlacklisted(address _account)

internal

view

returns (bool) {

return _deprecatedBlacklisted[_account];

}

function _blacklist(address _account) internal {

_setBlacklistState(_account, true);

}

function _setBlacklistState(address _account, bool _shouldBlacklist)

internal

virtual

{

_deprecatedBlacklisted[_account] = _shouldBlacklist;

}

function transfer(address to, uint256 value) public virtual override

notBlacklisted(msg.sender)

notBlacklisted(to)

returns (bool){

return super.transfer(to,value);

}

Recommended Mitigation: To prevent this, it's proposed to check the wallet beforehand to verify if it's on the blacklist and not make it eligible for the airdrop.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Invalid according to docs

https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.