First Flight #14: AirDropper

Summary

The deployment script, Deploy.s.sol, deploys the MerkleAirdrop contract with an incorrectly calculated merkle root. This makes it impossible for an airdrop allocation to be claimed, either by providing an incorrect proof or by providing a valid proof (and amount) that is calculated using 18 decimals, but results in the contract attempting to transfer a much larger number of tokens than is present in the contract. In addition, since there is no functionality to manually send USDC tokens out of the contract, the tokens are permanently stuck. To mitigate this, replace Deploy::s_merkleRoot with a properly calculated root. This can be done using the existing makeMerkle.js script.

Vulnerability Details

The deployment script, Deploy.s.sol, deploys the MerkleAirdrop contract with an incorrectly calculated merkle root. The root present in the deploy script is calculated based on a token having 18 decimals (the ERC20 default), when the airdropped token in this case (USDC) uses 6 decimals. MerkleAirdropTest.t.sol uses the correct root and proofs, making the test case (MerkleAirdropTest::testUsersCanClaim) pass.

Deploy.s.sol

MerkleAirdropTest.t.sol

Impact

This makes it impossible for an airdrop allocation to be claimed, either by providing an incorrect proof (calculated using 6 decimals compared to the root's 18 decimals) or by providing a valid proof (and amount) that is calculated using 18 decimals, but results in the contract attempting to transfer a much larger number of tokens than is present in the contract. In addition, since there is no functionality to manually send USDC tokens out of the contract, the tokens are permanently stuck.

Tools Used

Manual Analysis

Recommendations

Replace Deploy::s_merkleRoot with a properly calculated root. This can be done using the existing makeMerkle.js script.