[H-1] Wrong calculation of merkle root causes DoS
Summary
s_merkleRoot variable in the Deploy.s.sol stores and passes the wrong computed merkle root for deployment and users won't be able to verify their proofs.
Vulnerability Details
USDC unlike many other standard ERC20 tokens has 6 decimals which is an important matter for calculating the correct amount of tokens. However the protocol mistakenly calculates it with 18 decimals which is reflected in the makeMerkle.js and subsequently in the Deploy.s.sol::s_merkleRoot variable which is responsible for passing the computed merkle root for deployment as a constructor input and it will be stored and used in the MerkleAirdrop.sol as an immutable variable.
Impact
Users won't be able to verify their proofs and claim their USDC tokens, unless there is 25 trillion (25000000000000.000000) USDC tokens in the MerkleAirdrop contract!
Tools Used
Manual review
Recommendations
Refactor your amount input of makeMerkle.js in order to get the correct merkle root then run make merkle:
Then replace Deploy.s.sol::s_merkleRoot with the correct value:
Lead Judging Commences
wrong-usdc-decimals-in-merkle
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.