First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unclaimed USDC is impossible to recover from `MerkleAirdrop`

paprikrumplikas

Summary

Deploy::run sends 100 USDC (the total airdrop amount) to MerkleAirdrop:

function run() public {
vm.startBroadcast();
MerkleAirdrop airdrop = deployMerkleDropper(s_merkleRoot, IERC20(s_zkSyncUSDC));
// Send USDC -> Merkle Air Dropper
@> IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop);
vm.stopBroadcast();
}

Since MerkleAirdrop does not have any methods for transferring USDC out of the contract, any unclaimed USDC will not be possible to recover.

Vulnerability Details

Right at deployment, the total airdrop amount of 100 USDC is sent to MerkleAirdrop. 4 addresses are eligible to claim 25 USDC each, but if any of them cannot claim, USDC funds will be irrecoverably stuck in the contract. Reasons why users might not (be able to) claim their share of the airdrop:

  • missing the notification about the existence of the airdrop and about their eligibility,

  • lost access to eligible address.

Impact

Any unclaimed USDC funds are impossible to recover from the MerkleAirdrop contract.

Tools Used

Manual review, Foundry.

Recommendations

Add a method to MerkleAirdrop so that USDC can be transferred out from the contract:

+ function recoverUsdc(address _receiver) external onlyOwner {
+ i_airdropToken.safeTransfer(_receiver, i_airdropToken.balanceOf(address(this)));
+ }
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.