First Flight #14: AirDropper

Summary

MerkleAirdrop.sol inherits from Openzeppelin's Ownable.sol contract. The MerkleAirdrop.sol collects eth from users when they call the claim() function, and then transfers them to the owner using the claimFees() function. The function claimFees() is only callable by the owner of the contract. However, Ownable.sol has a function called renounceOwnership() which if called transfers the ownership of the contract to address(0). If this function were to be called, the owner of the MerkleAirdrop.sol contract will become the 0 address and the function claimFees() will no longer be callable. If this were to happen, then all the ether stored in the MerkleAirdrop.sol contract will be trapped with no way to be moved.

Vulnerability Details

The function claimFees() is utilizes the onlyOwner modifier :

function claimFees() external onlyOwner {
    (bool succ,) = payable(owner()).call{ value: address(this).balance }("");
    if (!succ) {
        revert MerkleAirdrop__TransferFailed();
    }
}

However, Ownable.sol has a renounceOwnership() function which can allow the owner to transfer ownership to address(0).

/**
 * @dev Leaves the contract without owner. It will not be possible to call
 * `onlyOwner` functions. Can only be called by the current owner.
 *
 * NOTE: Renouncing ownership will leave the contract without an owner,
 * thereby disabling any functionality that is only available to the owner.
 */
function renounceOwnership() public virtual onlyOwner {
    _transferOwnership(address(0));
}

Impact

If renounceOwnership() were to be called, all the ether collected from the fees would be trapped in the contract with no way to retrieve it.

Tools Used

Manual Review

Recommendations

Override the renounceOwnership() function so that it reverts every time it is called.