Description:
The MerkleAirdrop
contract includes an event named MerkleRootUpdated
which is intended to notify observers when the Merkle root is updated. However, there is no corresponding function in the contract that allows the Merkle root to be updated. Additionally, the i_merkleRoot
variable is set to immutable, which means it can only be assigned once during the contract's construction and cannot be modified afterwards.
Impact:
The absence of an update function for the Merkle root means that the contract cannot be updated with a new Merkle root after its initial deployment. This could limit the contract's flexibility and utility, especially in scenarios where the whitelist needs to be updated or changed, essentially restricting it to only one time use.
Recommended Mitigation:
To address this issue, a function should be implemented in the MerkleAirdrop
contract that allows the contract owner to update the Merkle root. This function should include access control mechanisms to ensure that only the contract owner can update the Merkle root. Additionally, the MerkleRootUpdated
event should be emitted within this function to notify observers of the update as shown below.
Tools Used: Manual review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.