First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious winner can drain the whole balance of the protocol

NightHawK

Summary

The goal of the airdrop is to send USDC tokens to 4 lucky addresses. The way users claim their airdrop is by calling the MerkleAirdrop::claim function. The claim function checks the lucky address, the elegible amount and the merkle proof. However, the function does not check whether the lucky address had already claimed the airdrop.

Vulnerability Details

The same lucky address can call the MerkleAirdrop::claim function multiple times. The function will give the airdrop after each call up to 4 times depending on the number of the already claimed airdrops by the other 3 lucky adresses. This can maliciously drain the whole balance.

Impact

The following foundry test function shows how one lucky address can maliciously drain the whole balance.

Executed as foundry test --match-test "testUserCanClaimMultipleTimes" -vvvvv.

function testUsersCanClaimMultipleTimes() public {
uint256 startingBalance = token.balanceOf(collectorOne);
vm.deal(collectorOne, 4 * airdrop.getFee());
vm.startPrank(collectorOne);
for (uint256 i = 0; i < 4; ++i) {
airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
}
vm.stopPrank();
uint256 endingBalance = token.balanceOf(collectorOne);
assertEq(endingBalance - startingBalance, 4 * amountToCollect);
}

Tools Used

Manual Review, Foundry

Recommendations

Add mapping for the status of the individual lucky addresses claims.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

multi-claim-airdrop

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.