Vulnerability Details

The vulnerability identified pertains to a potential race condition within the pick function of the smart contract. This function is designed to allow users to claim a specified quantity of tokens, provided they submit a valid cryptographic proof. The vulnerability stems from the operational sequencing within this function, particularly in the state transition and validation logic. The issue arises due to the non-atomic nature of state updates in relation to external calls. This creates a window where a user could exploit the function by sending multiple transactions in quick succession. This scenario could happen before the blockchain updates the state following the initial transaction execution, allowing the user to claim more tokens than authorised by their proof.

Impact

An attacker could exploit the race condition by submitting multiple transactions in quick succession before the state is updated to reflect the claim, potentially claiming more tokens than they are entitled to. This could lead to unauthorised token distribution, diluting the token supply, and potentially causing financial loss to the protocol and its users.

Tools Used

Manual Review

Recommendations

1. Introduce a unique nonce for each user that must be included and incremented with each claim to enforce the order of transactions.

2. Utilize mutexes to lock the claiming process for a user until the transaction is confirmed, preventing concurrent claims.

3. Implement a cooldown period between claims for a single address.