First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Use of inline address can lead to fund losses

wetzo

Summary

In the deployment script, the USDC token address is needed twice:

  • as a parameter for the airdrop contract constructor

  • to fund the contract with the token
    Instead of using the same variable for both actions, an unsafe use of inline address is done.

Vulnerability Details

USDC address is declared on line 8:

address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;

Then, on line 18, the address is entered in plaintext instead of reusing the variable s_zkSyncUSDC:

IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);

Impact

We must make sure that both addresses are identical for the protocol to work as intended. If they are different, the airdrop will fail, as the contract will try to send a token different that the one it holds.
As a consequence, tokens may get stuck into the contract and users won't be able to claim their airdrop.

Tools Used

Manual review

Recommendations

Reuse the variable:

+ IERC20(s_zkSyncUSDC).transfer(address(airdrop), s_amountToAirdrop);
- IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.