Merkle Root Error Enables Excessive Airdrop Claims
Summary
The Merkle Proof contains a critical error that permits each of the four users to claim 25 trillion USDC instead of the intended 25 USDC due to an incorrect exponent in the amount calculation.
Vulnerability Details
The Merkle Proof uses a value of 25 * 1e18 for calculating withdrawal amounts. This notation is incorrect for USDC, which should utilize 25 * 1e6 to represent 25 USDC correctly. The misconfiguration arises from using an 18 decimal format, typically associated with 1 Ether, instead of the 6 decimal format used by USDC. This results in each user being able to claim 25 trillion USDC instead of the intended 25.
Impact
Practically, since the contract is only funded with 100 USDC (25 * 1e6), the user eligible to claim the airdrop would not be able to claim their airdrop since they can only claim for 25 trillion USDC.
Theoretically, if the contract was funded with 25 trillion USDC or more, they would unintentionally allow the user to claim 25 trillion USDC. Which is a huge exploit!
Tools Used
VsCode to open the AirDropper File
Manual code review to check the merkle tree construction and values used.
Recommendations
Immediate Correction of Merkle Proof Values: Revise the smart contract to replace 1e18 with 1e6 in the withdrawal calculation to reflect the correct denomination for USDC.
Lead Judging Commences
wrong-usdc-decimals-in-merkle
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.