Summary

Some tokens like cUSDCv3 contains a special case for amount == type(uint256).max in their transfer functions that results in only the user's balance(or dust amounts) being transferred.

Vulnerability Details

Users can have dust amount of tokens in SablierLockup contract and then appove those dust amount of tokens in the airdrop contracts. A user deposits dust tokens in sablier Lockup contract.. And when the airdrop contracts is created from the factory contract, the approve amount i.e

will approve the dust tokens of cusdv3, thus having just a little bit of tokens and further even restricting other can also deposit to the contract , due to the nature of the tokens.

This will also not break protocol assumptions of only 2^128 tokens are max allowed.

Impact

Failure to spend funds from the MerkleLockup contract. thus making User's unable to claim the ERC20 assets, through airdrop.

Tools Used

Manual Review

Recommendations

Explicitly do not support these tokens. Or have a balance enquiry check before/after on both LockUp contracts and the airdrop contracts of approving and transferring of the tokens. Or change the type(uint).max to type(uint128).max since the project assumes the max no of tokens in the contract to be not more than 2^128