Submission Details
Severity:
`s_zkSyncUSDC` public address variable used in the `run()` function of `Deploy.s.sol` to deploy is not the address of zksync USDC
Summary
s_zkSyncUSDC public address variable used in the run() function of Deploy.s.sol to deploy is not the address of zksync USDC
Vulnerability Details
in MerkleAirDrop:claim function if the account who claims his reward in spite of valid proof it won't receive any USDC.
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
}
Impact
In this configuration No USDC will be airdropped.
Tools Used
Manual review
Recommendations
Hardcode correctly the s_zkSyncUSDC variable, you can also add more test to be sure to address the correct contract.
Read the name and symbol of the contract to valid it.
Updates
Lead Judging Commences
inallhonesty
about 1 year ago
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
usdc-wrong-address
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.