[H-1] Security Risk in `MerkleAirdrop::claim` function: No Limit on Withdrawal Times, Leading to Potential Infinite Withdrawals
Summary
The MerkleAirdrop::claim function in the contract is designed to facilitate airdrop transfers to users who meet the airdrop criteria. However, a crucial design flaw has been identified in its implementation. Specifically, there is no mechanism within the claim function to limit the number of times a user can invoke it. As a result, eligible users are able to execute the MerkleAirdrop::claim function an unlimited number of times to receive airdrop transfers, as there are no restrictions on the frequency of withdrawals. This could potentially lead to unintended consequences and needs to be addressed promptly.
Vulnerability Details
Per the project’s specifications, it is anticipated that users who satisfy the airdrop criteria will utilize the MerkleAirdrop::claim function to withdraw funds, with the stipulation that each user can only make a single withdrawal. However, the current implementation of the code does not enforce this restriction. Consequently, eligible users are able to invoke the MerkleAirdrop::claim function multiple times, passing the checks each time, and executing the i_airdropToken.safeTransfer(account, amount); command to facilitate the transfer. This behavior is inconsistent with the project’s intended design. The root cause of this issue lies in the absence of a mechanism within the function to verify if a user has already made a withdrawal.
Impact
The absence of withdrawal restrictions allows any user eligible for the airdrop to repeatedly execute the claim function, potentially leading to an unintended depletion of the contract’s funds. This could prevent future eligible users from being able to access their entitled airdrop funds, thereby undermining the fairness and integrity of the airdrop process.
Tools Used
Manual review
Recommendations
Introduce a global variable to track the withdrawal status of each user. Prior to executing the claim function, a check should be performed to determine if the user has previously made a successful withdrawal. If a withdrawal has already been made by the user, the function should immediately revert to prevent further execution. This modification will ensure that each eligible user can only make a single withdrawal, aligning the function’s behavior with the project’s original intent.
Lead Judging Commences
multi-claim-airdrop
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.