Submission Details
Severity:
Overcomplicated code in `Deploy` contract
Summary
Description: The code in Deploy contract is overcomplicated and contains also magic numbers.
Vulnerability Details
Proof of Concept:
We do need to implement deployMerkleDropper function and use address of token instead of variable
for transfering tokens IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).
Proof of Code:
Code for example
function run() public {
vm.startBroadcast();
MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
- IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
}
- function deployMerkleDropper(bytes32 merkleRoot, IERC20 zkSyncUSDC) public returns (MerkleAirdrop) {
return (new MerkleAirdrop(merkleRoot, zkSyncUSDC));
}
Impact
The code is overcomplicated and hard to read
Tools Used
Manual review.
Recommendations
I propose to refactor this code in following way.
Code for contract
function run() public returns (MerkleAirdrop){
vm.startBroadcast();
+ MerkleAirdrop airdrop = new MerkleAirdrop(s_merkleRoot,IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
+ IERC20(s_zkSyncUSDC).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
return airdrop;
}
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Info
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.