Transaction will fail if account is blacklisted and no alternative way to claim token
Summary
The MerkleAirdrop contract utilizes USDC as the token for the airdrop. However, there is a potential risk where users who qualify for the airdrop may have been blacklisted by USDC. This could result in transaction failures and users being unable to claim their airdrop tokens.
Vulnerability Details
The vulnerability lies in the reliance on USDC as the token for the airdrop without considering the possibility of users being blacklisted by USDC. If a user who qualifies for the airdrop has been blacklisted by USDC, attempting to claim the airdrop tokens could result in transaction failures due to restrictions imposed by USDC.
Impact
The impact of this vulnerability is significant as it could prevent eligible users from claiming their airdrop tokens, leading to frustration and potential loss of trust in the project. Transaction failures may also result in wasted gas fees for users attempting to claim the airdrop.
Tools Used
Manual Review
Recommendations
To address this vulnerability, it is recommended to implement a mechanism to verify the eligibility of users for the airdrop independently of USDC's blacklist. This could involve maintaining a whitelist of eligible addresses within the MerkleAirdrop contract or utilizing alternative tokens that do not impose restrictions on user transactions. Additionally, providing clear communication to users about eligibility criteria and potential limitations due to token restrictions is essential to mitigate confusion and dissatisfaction.
Lead Judging Commences
Invalid according to docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.