First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect USDC address, it will cause the funds to remain locked forever in the contract.

thaddeus19

[H-3] Incorrect USDC address, it will cause the funds to remain locked forever in the contract.

Description: In the deployment script, an incorrect address was assigned to the variable Deploy.s.sol::s_zkSyncUSDC

Impact: It will cause the funds to remain locked forever in the contract.

Proof of Concept: By assigning an incorrect token, when the MerkleAirdrop::claim() function attempts to transfer tokens, it will fail because it will not have tokens to send, as the balance of the erroneous token is zero.

Code

This test was added in MerkleAirdrop.t.test

function testFailIncorrectTokenAddress() public {
MockBlacListed blacklist = new MockBlacListed();
MerkleAirdrop airdrop2 = new MerkleAirdrop(merkleRoot, blacklist);
token.mint(address(this), amountToSend);
token.transfer(address(airdrop2), amountToSend);
vm.deal(collectorOne, airdrop.getFee());
vm.startPrank(collectorOne);
airdrop2.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
}

Recommended Mitigation: Assign the correct USDC address on Zksync Mainnet (0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4) to the variable Deploy.s.sol::s_zkSyncUSDC.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.