Lack of Double-Claim Protection (Potential Token Drain)
Summary
The MerkleAirdrop contract has been audited for security concerns. The primary issue identified is the lack of protection against double-claiming airdrop tokens.
Vulnerability Details
The contract does not maintain a record of addresses that have already claimed their tokens. This allows users with valid merkle proofs to potentially claim more than once, leading to unauthorized token withdrawal.
Impact
If exploited, this vulnerability could lead to loss or complete drain of all ERC20 tokens allocated for the airdrop by repeatedly claiming using valid proofs before it's detected and stopped manually or by other means outside smart contract logic itself which might be too late depending on response time and effectiveness thereof in mitigating ongoing attack(s).
Tools Used
Manual Code Review
Recommendations
Implement a mapping tracking claims (mapping(address => bool) private claimed;) that records whether an address has already received their allotment.
Add checks before processing claims (require(!claimed[account], "Already Claimed");) preventing multiple withdrawals.
Lead Judging Commences
multi-claim-airdrop
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.