[H-0] USDC address in `Deploy.s.sol` is pointing to a wrong address
Summary
The USDC address hardcoded in the Deploy.s.sol::s_zkSyncUSDC script variable is wrong, which is an immutable constructor input for MerkleAirdrop contract and it will render the deployed airdrop contract useless.
Vulnerability Details
The USDC address of zkSync era mainnet that will be used for deployment in the Deploy.s.sol script is wrong and the correct address is 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4 which you can find in the official resources here.
Impact
This will cause any attempt to interacting with the USDC contract fail since it's pointing to a wrong address.
Additionally, a bad actor could know this beforehand and by using the deterministic features of blockchain (create2 method), deploys a malicious contract at the specified address.
Tools Used
Manual review, zkSync era block explorer
Recommendations
Simply replace the wrong address in Deploy.s.sol with the correct one:
Lead Judging Commences
usdc-wrong-address
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.