The ability for anyone to claim airdrop on behalf of other recipients might prevent admins from clawback during grace period.
Summary
The 1 week of grace period exists in case admins need to cancel airdrops, but malicious attacker can prevent this admin action by front-running clawBack transaction.
Vulnerability Details
The airdrop admin can call clawback function to receive tokens back from the airdrop contract.
Also, there's a fact that anyone can claim anyone else's airdrop to the recipient address.
This exposes a vulnerability where a malicious attacker can front-run the admin's clawback transaction by claiming rewards of airdrop participants, thus making the clawback revert because of lack of tokens.
Another point to consider is that even though the malicious attacker does not claim others' airdrops but airdrop participants could be alerted and claim their airdrops by front-running clawback to cause lack of tokens.
Impact
The airdrop admin is not able to cancel the airdrop and move the token back
Tools Used
Manual Review
Recommendations
There has to be 2 mitigation taken to prevent this issue:
Do not allow claiming other's airdrop during grace period.
In
clawbackfunction, when actual token amount remaining in the contract is smaller than the requested amount, it shouldn't revert but transfer all the remaining tokens.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Grace started early by donate + claim
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.