Incorrect `s_merkleRoot` in `Deploy.s.sol`
Summary
The s_merkleRoot variable in Deloy script is generated using amount with incorrect precision, resulting in incorrect root, potentially affecting the claim() function.
Vulnerability Details
s_merkleRoot value is generated using an amount with 18 decimals while actual USDC has 6 decimals. This mismatch results in an invalid Merkle root. Consequently, passing this invalid root to MerkleAirdrop contract would render MerkleAirdrop::claim() function useless as the amount passed to claim() function needs 6 decimal precision.
Impact
MerkleAirdrop::claim() function would consistently revert if the merkle root passed in the constructor is invalid. Consequently, users would be unable to withdraw USDC tokens, severely disrupting functionality of the protocol.
Tools Used
Manual Review
Proof of Concept
Pass the amount (25 * 1e6) for the lucky addresses in makeMerkle.js. It results in the following Merkle root,
0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd
The one hardcoded in Deploy.s.sol is the result when root is generated with addresses and amount of 18 decimals,
0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05
Recommendations
Prior to passing the s_merkleRoot to the MerkleAirdrop contract, ensure that its value is generated using correct decimal precision.
Lead Judging Commences
wrong-usdc-decimals-in-merkle
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.