Potential vulnerability with airstreams when the admin of merkle lockup contract is changed
Summary
The airstreams are created with the admin of merkle lockup contract as a sender, this is vulnerable when the admin is changed, in which case the original admin wallet is exploited.
Vulnerability Details
In both linear and tranched airstreams contract, whenever a user claims an airdrop, the stream is created for the user with the admin of the contract as the sender.
This exposes a vulnerability when the admin of the contract is changed to the new admin, especially the original admin address is exploited.
Impact
When admin is changed, the new admin has not access to airstreams.
When old admin address goes malicious, airstreams can be cancelled and causes loss of funds for users.
Tools Used
Manual Review
Recommendations
For most of cases, airstreams don't need to be cancelled, thus it's recommended to set the contract as sender, and renounce it right after the creation. Or there might be a configuration to create renounced stream.
Lead Judging Commences
Admin changing functionality allows former admin access and does not give new admin access to some functionality
Admin changing functionality allows former admin access and does not give new admin access to some functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.