First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Merkle Root Update Functionality in MerkleAirdrop Contract

seclabs

Summary

The MerkleAirdrop contract lacks an updateMerkleRoot function, preventing the contract owner from updating the Merkle root after deployment.

Vulnerability Details

Without an updateMerkleRoot function, the contract becomes static once deployed, with no mechanism to modify the Merkle root or update the airdrop data. This limitation restricts the contract's adaptability and flexibility, potentially leading to various issues such as incorrect airdrop data, inability to adjust the airdrop list, and stranded funds.

Impact

Inability to update airdrop data: The contract owner cannot modify the airdrop list or correct errors in the Merkle tree data, leading to potential inaccuracies in token distribution.
Lack of adaptability: Market conditions or campaign requirements may change over time, but without the ability to update the Merkle root, the contract remains static and cannot be adjusted accordingly.
Risk of stranded funds: Any remaining tokens in the contract after the airdrop completion cannot be recovered or redistributed without a contract upgrade.

Tools Used

Manual review

Recommendations

- bytes32 private immutable i_merkleRoot; // Remove the immutable keyword and change the variable name to merkleRoot

+ bytes32 public merkleRoot; // Add a public variable to store the merkle root

constructor(bytes32 _merkleRoot, IERC20 airdropToken) Ownable(msg.sender) {

- i_merkleRoot = _merkleRoot; // Update assignment to the new variable name

+ merkleRoot = _merkleRoot; // Assign the merkle root value

i_airdropToken = airdropToken;

}

// Add new function with onlyOwner restriction

+ function updateMerkleRoot(bytes32 newmerkleRoot) external onlyOwner {

+ merkleRoot = newmerkleRoot; // Update the merkle root

+ emit MerkleRootUpdated(merkleRoot); // Emit an event to notify of the update

+ }

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.