First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

`merkleProof` length not checked

seclabs

Summary

The MerkleAirdrop contract is vulnerable to denial of service attacks due to lack of validation on the Merkle proof length.

Vulnerability Details

The MerkleAirdrop::claim() function calls MerkleProof.verify() with the supplied Merkle proof, but does not first check that the proof length is greater than 0. This allows anyone to pass an empty Merkle proof that will fail verification.

Impact

Attackers can repeatedly call the MerkleAirdrop::claim() function with empty Merkle proofs, causing the verification to fail each time. This can prevent legitimate users from being able to successfully claim their airdropped tokens.

Tools Used

Manual Review

Recommendations

Add a require statement in MerkleAirdrop::claim() function to check merkleProof length before verifying:

require(merkleProof.length > 0, "Merkle proof is empty");

This will revert the transaction if an empty proof is supplied, preventing the denial of service.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Info

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.