First Flight #14: AirDropper

Summary

A potential Denial of Service (DoS) vulnerability exists in the MerkleAirdrop contract's claimFees function, which could prevent the withdrawal of fees by the owner.

Vulnerability Details

The claimFees function allows only the owner to withdraw ETH collected as fees. If ownership is transferred to a smart contract that reverts on receiving ETH, this function will consistently fail.

Impact

If exploited or accidentally triggered due to poor design of an owner contract, no one would be able to collect accumulated fees. This locks funds within the smart contract indefinitely and disrupts intended functionality for fee collection by legitimate owners/operators thereof thus potentially leading towards loss revenue stream associated with deployed system provided here today until such time issue itself has been adequately addressed through means discussed below under recommendations section following report accordingly based upon findings during audit process undertaken herewithin context given at hand currently speaking overall perspective considered throughout examination phase completed successfully without further incident noted elsewhere otherwise stated explicitly herein document prepared expressly for purposes outlined originally requested client engagement terms agreed upon beforehand mutually between parties involved transactionally related matters pertaining thereto specifically focused around security aspects underlying smart contracts coding standards best practices etc...

Tools Used

• Manual code review

Recommendations

• Implement a mechanism where only trusted addresses can become owners or restrict transferOwnership capability.

• Add logic that ensures new owners are capable of accepting transfers; possibly verify behavior before transferring ownership.