First Flight #14: AirDropper

Summary

During audit I found 4 vulnerabilities in Smart Contracts:

1. 2 in --MerkleAirdrop.sol(High)

2. 2 in --Deploy.s.sol(Low)

Vulnerability Details

1. NO ACCESS VULNERABILITY
   High

In function claim MerkleAirdrop.sol doesn't implemetn check access function.
It may occurs to double claiming airdrop by user

• Found in src/MerkleAirdrop.sol [Line: 30]

  function claim(

  address account,

  uint256 amount,

  bytes32[] calldata merkleProof

  ) external payable {

2. VULNERABILITY VERIFYING
   High

• Found in src/MerkleAirdrop.sol [Line: 45]

  bytes.concat(keccak256(abi.encode(account, amount)))

Anyone who knows the addresses that are selected for the airdrop can recreate the merkle tree and create a valid proof.

3. MISSING PRIVATE KEY DEPLOYMENT
   Low

4. STORAGE VALUES and function deployMerkleDropper( SHOULD BE PRIVATE

Impact

Tools Used

aderyn (Rust-based Solidity AST analyzer.)
https://github.com/Cyfrin/aderyn

simple research

Recommendations

In --MerkleAirdrop.sol: add mapping _claimed in function claim( to prevent No Access Vulnerability

In Line:45 --MerkleAirdrop.sol: replace account with msg.sender to prevent Veryfying Vulnerability

In --MerkleAirdrop.sol: add function getMerkleRoot() onlyOwner check

In Line:16 --Deploy.s.sol: add private key

In --Deploy.s.sol: change values from public to private

All changes you can see in my github --> https://github.com/alhonaut/audit-2024-airdropper