First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`s_zkSyncUSDC` address used in `Deploy.s.sol` is not a USDC address, leading to stuck actual USDC funds in `MerkleAirdrop`

shikhar229169

Summary

The Deploy.s.sol script set the USDC token as the Airdrop token in MerkleAirdrop contract but the address stored in s_zkSyncUSDC is not of actual USDC token on ZkSync.

But the token contract used while transferring funds to the MerkleAirdrop contract is a real USDC token contract, which leads to USDC token funds stuck in MerkleAirdrop contract as token contract set for transfers is set to the incorrect contract.

Vulnerability Details

The vulnerability is present in the Deploy.s.sol script where it sets an Airdrop token in the MerkleAirdrop contract which is not the actual USDC contract and differs from the token contract that is used to transfer funds to the Airdrop contract.

The contract used for token transfer to MerkleAidrop is the actual USDC contract but the token contract set while deploying the contract is not the actual USDC contract.

@> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;

bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;

// 4 users, 25 USDC each

uint256 public s_amountToAirdrop = 4 * (25 * 1e6);

// Deploy the airdropper

function run() public {

vm.startBroadcast();

@> MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));

// Send USDC -> Merkle Air Dropper

@> IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);

vm.stopBroadcast();

}

From the above snippet of the Deploy.s.sol script, the s_zkSyncUSDC is passed to the MerkleAidrop contract, where the address in this variable is not the actual USDC contract, thus it sets a wrong address in the contract.
But the token used to transfer funds to the Airdrop contract is different from s_zkSyncUSDC and is actually the correct USDC token address.
Even though both the address 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4 and 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4, indeed look very similar at first glance, but they are not identical. The difference lies in the capital and lower case letters. The upper case and lower case alphabets are considered distinct, hence they are not same.
Therefore an incorrect token contract is used while passing it to the constructor of MerkleAidrop but correct token address is used for transferring funds.

Impact

Winners will never be able to claim their winnings via claim function.
The USDC funds transferred to MerkleAirdrop will get stuck and there is no way to recover them, as incorrect token address was set for the Airdrop and it is not changeable.

Tools Used

Manual Review

Recommendations

Update the s_zkSyncUSDC in Deploy.s.sol to the correct USDC address - 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

usdc-wrong-address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.