Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

In `Deploy.s.sol`, the address of s_zkSyncUSDC token is incorrect which will cause to not execute the `safeTransfer function` in the `MerkleAirdrop` contract.

Summary

  • In the Deploy.s.sol file, the address of USDC token is incorrect. This will cause the airdrop to fail because the claim function will not work as expected. This will cause to not execute the safeTransfer function in the MerkleAirdrop contract.

Vulnerability Details

  • This address of s_zkSyncUSDC address in Deploy.s.sol file is incorrect and it is not the address of USDC token in zkSync.

  • This will cause the airdrop to fail because the claim function will not work as expected.

  • This will cause to not execute the safeTransfer function in the MerkleAirdrop contract.

@> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;
// 4 users, 25 USDC each
uint256 public s_amountToAirdrop = 4 * (25 * 1e6);

POC

  • These are the steps to flow to check the s_zkSyncUSDC address in Deploy.s.sol file is correct or not.

    • Go the All zksync token list and the click on the USDC token address.

    • Copy the address of USDC token and compare it with the s_zkSyncUSDC address in Deploy.s.sol file.

      • this is the address of USDC token 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4.

      • this is the address of USDC token in Deploy.s.sol file 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4.

    • And also search the address of USDC token which presnt in the Deploy.s.sol file. we can found that the address is not USDC token address. we can see by this link.

Impact

  • It will not work as expected.

  • All the functions will fail.

  • No user will be able to claim the airdrop because address of USDC token is incorrect.

Tools Used

  • Manual Review

Recommendations

  • put this in Deploy.s.sol to correct the address of USDC token.

contract Deploy is Script {
- address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
+ address public s_zkSyncUSDC = 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4;
bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;
// 4 users, 25 USDC each
uint256 public s_amountToAirdrop = 4 * (25 * 1e6);
// Deploy the airdropper
function run() public {
vm.startBroadcast();
MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
}
function deployMerkleDropper(bytes32 merkleRoot, IERC20 zkSyncUSDC) public returns (MerkleAirdrop) {
return (new MerkleAirdrop(merkleRoot, zkSyncUSDC));
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.