First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Immutable Merkle root prevents any correction of the tree to save unclaimed airdrop or allowing reusability of the contract.

n0kto

Description

The Merkle root in MerkleAirdrop.sol is immutable:

bytes32 private immutable i_merkleRoot;

This is very risky because once in production, there is no way to change it.
In another submission, I proved the root was incorrect, which was a critical finding because there were no way to change the root.

Moreover, there is no mechanism to retrieve unclaimed airdrops, and changing the Merkle root could add this possibility.

Finally, this contract is only usable once. Being able to change the Merkle root would allow this contract to be used more than once for multiple airdrops (adapting an "anti-multi-claim" mechanism).

Risk

Likelyhood: Low

Impact: Low

  • No saving mechanism for incorrect Merkle root or unclaimed tokens.

  • No reusability of the contract.

Recommended Mitigation

Implement a setter for the Merkle root and remove the immutable keyword.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
n0kto Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.