First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

USDC Token Contract Address is Wrong

carlosalbawork

Summary

The USDC token address stated in Deploy.s.sol is different compared to the one showed in the zksync token explorer : https://explorer.zksync.io/tokens

Vulnerability Details

@> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
.
.
.
function run() public {
vm.startBroadcast();
MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
@> IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
}
function deployMerkleDropper(bytes32 merkleRoot, IERC20 zkSyncUSDC) public returns (MerkleAirdrop) {
return (new MerkleAirdrop(merkleRoot, zkSyncUSDC));
}

As we can see, the variable Deploy::s_zkSyncUSDCis initialized as 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4
However the correct address is the one used in the transfer of USDC to the airdrop contract, 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4 , because it is stated in the zksync token explorer webpage .

Impact

Because the airdrop contract is initialized with the variable that has the wrong address, airdrop winners won´t be able to be sent the prize.

Tools Used

Manual Review, Web Explorer

Recommendations

Initialize the correct address

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.