First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

H1 User can call claim function multi times to get expected airdropToken

lilizhu

Summary

The user can call the claim function multiple times to get the expected airdrop tokens.

Vulnerability Details

A user who qualifies for an airdrop theoretically can get airdropToken only one time. However, since there is no check in the claim function to see if the user has already claimed the airdropToken, this results in that the user can get the as many airdropToken as he wanted by calling the claim function multiple times.

Impact

User who qualifies for an airdrop can get the as many airdropToken as he wanted.

Tools Used

None

Recommendations

Set a storage variable to hold the flag of whether the user has already claimed an airdrop or not

mapping(address => bool) public claimed;
function claimAirdrop(uint256 amount, bytes32[] calldata merkleProof) external {
require(!claimed[msg.sender], "Airdrop already claimed.");
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
claimed[msg.sender] = true;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

multi-claim-airdrop

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.