First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect USDC token address `s_zkSyncUSDC` in `Deploy.s.sol`

paprikrumplikas

Summary

An incorrect value is assigned to Deploy::s_zkSyncUSDC (i.e. the USDC token address on zkSync).

Vulnerability Details

s_zkSyncUSDC is a state variable in Deploy.s.sol that is supposed to contain the address of the USDC token on the zkSync network. This address is then used as a parameter when deploying the MerkleAirdrop contract, which requires an ERC20 token contract (the address of the airdrop token) for operation:

function run() public {
vm.startBroadcast();
@> MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
}

However, Deploy::s_zkSyncUSDC is assigned an incorrect value (the correct USDC address on zkSync is 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4, not 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4.

Impact

MerkleAirdrop will be deployed with an incorrect constructor input value, and the contract will be disfunctional (the incorrect address is not only not the USDC token address, but it is not a token address at all).
The contract will have to be redeployed.

Tools Used

Manual review, Foundry.

Recommendations

Correct the token address in Deploy.s.sol as follows:

- address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
+ address public s_zkSyncUSDC = 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4;
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.