`MerkleAidrop::MerkleRootUpdated` event exists without a function to update `i_merkleRoot`
Description:
The MerkleAirdrop contract includes an event named MerkleRootUpdated which is intended to notify observers when the Merkle root is updated. However, there is no corresponding function in the contract that allows the Merkle root to be updated. Additionally, the i_merkleRoot variable is set to immutable, which means it can only be assigned once during the contract's construction and cannot be modified afterwards.
Impact:
The absence of an update function for the Merkle root means that the contract cannot be updated with a new Merkle root after its initial deployment. This could limit the contract's flexibility and utility, especially in scenarios where the whitelist needs to be updated or changed, essentially restricting it to only one time use.
Recommended Mitigation:
To address this issue, a function should be implemented in the MerkleAirdrop contract that allows the contract owner to update the Merkle root. This function should include access control mechanisms to ensure that only the contract owner can update the Merkle root. Additionally, the MerkleRootUpdated event should be emitted within this function to notify observers of the update as shown below.
Tools Used: Manual review
Lead Judging Commences
Info
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.