First Flight #14: AirDropper

First Flight #14

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Invalid address used for the `s_zkSyncUSDC` in the `Deploy.s.sol` script, leads to a Denial of Service (DoS) attack

0xb0k0

Description The s_zkSyncUSDC address in the Deploy.s.sol script is set to an invalid address 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4. This address is not the valid USDC token address, and as such, the contract will not be able to transfer the tokens to the users (as the underlying "token" contract will not have any transfer functionality), leading to a DoS attack. The valid address is the one passed to the IERC20 contract in the Deploy.s.sol script - 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4

@> address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4; // invalid USDC address

@> IERC20(0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4).transfer(address(airdrop), s_amountToAirdrop); // valid USDC address

Impact As the MerkleAirDrop will have an invalid IERC20 token which has no token-like functionality, the contract will not be able to transfer the tokens to the users, rendering the protocol useless.

Proof of Concept The DoS attack is shown in the MerkleAirdropTest::test_deploy_script_uses_invalid_erc20_address test. For the sake of the test, the IERC20 token contract in the Deploy.s.sol script was changed to use a mock contract which has no ERC20 token capabilites - NotERC20Token.

POC

function test_deploy_script_uses_invalid_erc20_address() public {

uint256 fee = airdrop.getFee();

vm.deal(collectorOne, fee);

vm.startPrank(collectorOne);

vm.expectRevert();

airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);

vm.stopPrank();

}

Ran 1 test for test/MerkleAirdropTest.t.sol:MerkleAirdropTest

[PASS] test_deploy_script_uses_invalid_erc20_address() (gas: 56658)

Traces:

[56658] MerkleAirdropTest::test_deploy_script_uses_invalid_erc20_address()

├─ [225] MerkleAirdrop::getFee() [staticcall]

│ └─ ← [Return] 1000000000 [1e9]

├─ [0] VM::deal(0x20F41376c713072937eb02Be70ee1eD0D639966C, 1000000000 [1e9])

│ └─ ← [Return]

├─ [0] VM::startPrank(0x20F41376c713072937eb02Be70ee1eD0D639966C)

│ └─ ← [Return]

├─ [0] VM::expectRevert(custom error f4844814:)

│ └─ ← [Return]

├─ [28826] MerkleAirdrop::claim{value: 1000000000}(0x20F41376c713072937eb02Be70ee1eD0D639966C, 25000000000000000000 [2.5e19], [0x4fd31fee0e75780cd67704fbc43caee70fddcaa43631e2e1bc9fb233fada2394, 0xc88d18957ad6849229355580c1bde5de3ae3b78024db2e6c2a9ad674f7b59f84])

│ ├─ emit Claimed(account: 0x20F41376c713072937eb02Be70ee1eD0D639966C, amount: 25000000000000000000 [2.5e19])

│ ├─ [24] NotERC20Token::transfer(0x20F41376c713072937eb02Be70ee1eD0D639966C, 25000000000000000000 [2.5e19])

│ │ └─ ← [Revert] EvmError: Revert

│ └─ ← [Revert] FailedCall()

├─ [0] VM::stopPrank()

│ └─ ← [Return]

└─ ← [Stop]

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 5.71ms (286.71µs CPU time)

Tools used Manual review

Recommended Mitigation Use the correct USDC token address in the Deploy.s.sol script.

- address public s_zkSyncUSDC = 0x1D17CbCf0D6d143135be902365d2e5E2a16538d4;

+ address public s_zkSyncUSDC = 0x1d17CBcF0D6D143135aE902365D2E5e2A16538D4;

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

usdc-wrong-address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.