First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

MerkleRoot value is wrong

carlosalbawork

Summary

The value defined in Deploy::s_merkleRoot contract does not match the value of the root of the used merkleTree for this airdrop.

Vulnerability Details

In the makeMerkle.js file we have the following snippet of code:

const amount = (25 * 1e18).toString();

const values = [

["0x20F41376c713072937eb02Be70ee1eD0D639966C", amount],

["0x277D26a45Add5775F21256159F089769892CEa5B", amount],

["0x0c8Ca207e27a1a8224D1b602bf856479b03319e7", amount],

["0xf6dBa02C01AF48Cf926579F77C9f874Ca640D91D", amount],

];

const tree = StandardMerkleTree.of(values, ["address", "uint256"]);

console.log("Merkle Root:", tree.root);

If we execute

make merkle

we obtain that the Root value is the same as the one wrote in Deploy::s_merkleRoot :

Merkle Root: 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05

However, the tree that has that root value assumes that the token that we´re airdropping has 18 decimals !

const amount = (25 * 1e18).toString();

USDC has 6 decimals. So, the correct amount would be:

const amount = (25 * 1e6).toString();

Doing the previous change, the output of

make merkle

is :

Merkle Root: 0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd

The same value used as a root in the MerkleAirdropTest file.

Impact

Every claim call from the winners will revert, because the "amount" values of the merkleTree (18 decimals) and the actual amount of tokens that will be withdrawn (6 decimals) is different, and therefore the verification functionwill return false at every call.

Is worth noting that if somebody actually discovered it and thought that calling the function with the amount with 18 decimals would grant them way more than they should, in the current state because there is only 100 + 6 decimals USDC in the contract, there`s not enough supply so it would ultimately revert in the line

i_airdropToken.safeTransfer(account, amount);

due to lack of funds.

Tools Used

VScode, Foundry

PoC

using

make merkle

We obtain the following result:

Merkle Root: 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05

Proof for address: 0x20F41376c713072937eb02Be70ee1eD0D639966C with amount: 25000000000000000000:

[

'0x4fd31fee0e75780cd67704fbc43caee70fddcaa43631e2e1bc9fb233fada2394',

'0xc88d18957ad6849229355580c1bde5de3ae3b78024db2e6c2a9ad674f7b59f84'

]

Modifying the MerkleAirdropTest contract with these values:

bytes32 public merkleRoot =

0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;

bytes32 proofOne =

0x4fd31fee0e75780cd67704fbc43caee70fddcaa43631e2e1bc9fb233fada2394;

bytes32 proofTwo =

0xc88d18957ad6849229355580c1bde5de3ae3b78024db2e6c2a9ad674f7b59f84;

and executing the current test testUsersCanClaim() we get the Invalid Proof error

Ran 1 test suite in 10.68ms (1.61ms CPU time): 0 tests passed, 2 failed, 0 skipped (2 total tests)

Failing tests:

Encountered 2 failing tests in test/MerkleAirdropTest.t.sol:MerkleAirdropTest

[FAIL. Reason: MerkleAirdrop__InvalidProof()] testUsersCanClaim() (gas: 36921)

If we also change the value of the amount like this:

uint256 amountToCollect = (25 * 1e18);

uint256 amountToSend =(25 * 1e6) ;

The test reverts with the Insufficient Balance error:

Suite result: FAILED. 0 passed; 2 failed; 0 skipped; finished in 1.71ms (329.70µs CPU time)

Ran 1 test suite in 10.39ms (1.71ms CPU time): 0 tests passed, 2 failed, 0 skipped (2 total tests)

Failing tests:

Encountered 2 failing tests in test/MerkleAirdropTest.t.sol:MerkleAirdropTest

[FAIL. Reason: ERC20InsufficientBalance(0x2e234DAe75C793f67A35089C9d99245E1C58470b, 25000000 [2.5e7], 25000000000000000000 [2.5e19])] testUsersCanClaim() (gas: 42116)

Recommendations

Modify the value of the MerkleRoot in the Deploy contract to the correct value found in the MerkleAirdropTest file :
0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

wrong-usdc-decimals-in-merkle

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.