First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect merkle root generated, due to which users can claim more than they are elligible

shishir

Description

The merkle root generated in line bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05 in Deploy.s.sol is passed to the MerkleAirdrop contract for verifying merkle proofs. This merkle root is generated in merkle.js

In makeMerkle.js, in line const amount = (25 * 1e18).toString(), the variable amount is initialized with 18 decimal places while it should have been 6 for USDC causing incorrect merkle root generation

Impact

More funds i.e. 25 * 1e18 wei of USDC can be claimed by each user while they are only eligible for 25 * 1e6

Proof of Concepts

- bytes32 public merkleRoot = 0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd;

+ bytes32 public merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;

- uint256 amountToCollect = (25 * 1e6); // 25.000000

+ uint256 amountToCollect = (25 * 1e18); // 25.000000

- uint256 amountToSend = amountToCollect * 4;

+ uint256 amountToSend = amountToCollect * 4;

- bytes32 proofOne = 0x32cee63464b09930b5c3f59f955c86694a4c640a03aa57e6f743d8a3ca5c8838;

- bytes32 proofTwo = 0x8ff683185668cbe035a18fccec4080d7a0331bb1bbc532324f40501de5e8ea5c;

+ bytes32 proofOne = 0x4fd31fee0e75780cd67704fbc43caee70fddcaa43631e2e1bc9fb233fada2394;

+ bytes32 proofTwo = 0xc88d18957ad6849229355580c1bde5de3ae3b78024db2e6c2a9ad674f7b59f84;

- bytes32[] proof = [proofOne, proofTwo];

+ bytes32[] proof = [proofOne, proofTwo];

function testClaimMoreEthThanEligile() public {

uint256 startingBalance = token.balanceOf(collectorOne);

vm.deal(collectorOne, airdrop.getFee());

vm.startPrank(collectorOne);

airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);

vm.stopPrank();

uint256 endingBalance = token.balanceOf(collectorOne);

assertEq(endingBalance - startingBalance, amountToCollect);

}

The merkleRoot mentioned above is generated for address 0x20F41376c713072937eb02Be70ee1eD0D639966C with new claim amount 25 * 1e18 (instead of 25* 1e6 (old amountToCollect)), and proof 0x4fd31fee0e75780cd67704fbc43caee70fddcaa43631e2e1bc9fb233fada2394 and 0xc88d18957ad6849229355580c1bde5de3ae3b78024db2e6c2a9ad674f7b59f84 using the script mentioned in makeMerkle.js

Recommended mitigation

Change line const amount = (25 * 1e18).toString() in makeMerkle.js to const amount = (25 * 1e6).toString()

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

wrong-usdc-decimals-in-merkle

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.