First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

In `Deploy.s.sol`, the address of s_zkSyncUSDC token is incorrect which will cause to not execute the `safeTransfer function` in the `MerkleAirdrop` contract.

naman1729

Summary

In the Deploy.s.sol file, the address of USDC token is incorrect. This will cause the airdrop to fail because the claim function will not work as expected. This will cause to not execute the safeTransfer function in the MerkleAirdrop contract.

Vulnerability Details

This address of s_zkSyncUSDC address in Deploy.s.sol file is incorrect and it is not the address of USDC token in zkSync.
This will cause the airdrop to fail because the claim function will not work as expected.
This will cause to not execute the safeTransfer function in the MerkleAirdrop contract.

@> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;

bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;

// 4 users, 25 USDC each

uint256 public s_amountToAirdrop = 4 * (25 * 1e6);

POC

These are the steps to flow to check the s_zkSyncUSDC address in Deploy.s.sol file is correct or not.
- Go the All zksync token list and the click on the USDC token address.
- Copy the address of USDC token and compare it with the s_zkSyncUSDC address in Deploy.s.sol file.
  - this is the address of USDC token 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4.
  - this is the address of USDC token in Deploy.s.sol file 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4.
- And also search the address of USDC token which presnt in the Deploy.s.sol file. we can found that the address is not USDC token address. we can see by this link.

Impact

It will not work as expected.
All the functions will fail.
No user will be able to claim the airdrop because address of USDC token is incorrect.

Tools Used

Manual Review

Recommendations

put this in Deploy.s.sol to correct the address of USDC token.

contract Deploy is Script {

- address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;

+ address public s_zkSyncUSDC = 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4;

bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;

// 4 users, 25 USDC each

uint256 public s_amountToAirdrop = 4 * (25 * 1e6);

// Deploy the airdropper

function run() public {

vm.startBroadcast();

MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));

// Send USDC -> Merkle Air Dropper

IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);

vm.stopBroadcast();

}

function deployMerkleDropper(bytes32 merkleRoot, IERC20 zkSyncUSDC) public returns (MerkleAirdrop) {

return (new MerkleAirdrop(merkleRoot, zkSyncUSDC));

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

usdc-wrong-address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!