Submission Details
Severity:
`MerkelAirdrop.sol` is deployed with wrong USDC address resulting in loss of all funds
Summary
MerkelAirdrop contract is deployed with the incorrect USDC address.
Vulnerability Details
If we have a close look at the deploy script we can see that the s_zkSyncUSDC is not a correct USDC address in zkSync.
contract Deploy is Script {
-> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;
bytes32 public s_merkleRoot = 0xf69aaa25bd4dd10deb2ccd8235266f7cc815f6e9d539e9f4d47cae16e0c36a05;
// 4 users, 25 USDC each
uint256 public s_amountToAirdrop = 4 * (25 * 1e6);
// Deploy the airdropper
function run() public {
vm.startBroadcast();
MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
-> IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
}
function deployMerkleDropper(bytes32 merkleRoot, IERC20 zkSyncUSDC) public returns (MerkleAirdrop) {
return (new MerkleAirdrop(merkleRoot, zkSyncUSDC));
}
}
After deploying the contract with wrong address deployer is sending the actual USDC into that contract.
This will make the real USDC stuck in the contract forever and funds will get lost.
Impact
All the 100 USDC will get lost as no one can claim the USDC as airdrop.
Tools Used
manual Review
Recommendations
Use correct USDC address in deployment.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
usdc-wrong-address
Rewards breakdown
nSLOC
62This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.