First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect USDC Token Address Is Used during Deployment Resulting in Permanently Locked Tokens

vile

Summary

Deploy::s_zkSyncUSDC is set to an empty address. The contract will attempt to send a non-exist token during airdrop claims. In addition, since there is no functionality to manually send USDC tokens out of the contract, the tokens are permanently stuck. To mitigate this, set Deploy::s_zkSyncUSDC to the proper contract address and use the variable consistently throughout the script to reduce the chance of mistakes.

Vulnerability Details

Deploy::s_zkSyncUSDC is set to an empty address. Later in the deployment script, the proper USDC address is used to send tokens to the airdrop contract.

// v
address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);

Impact

When an address attempts to claim an airdrop allocation, the contract will attempt to send a non-existent token. In addition, since there is no functionality to manually send USDC tokens out of the contract, the tokens are permanently stuck.

Tools Used

Manual Analysis

Recommendations

Set Deploy::s_zkSyncUSDC to the proper contract address and use the variable consistently throughout the script to reduce the chance of mistakes.

- address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
+ address public s_zkSyncUSDC = 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4;
...
- IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
+ IERC20(s_zkSyncUSDC).transfer(address(airdrop), s_amountToAirdrop);
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

usdc-wrong-address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.