Grace period can be started earlier than expected
Summary
Because the merkle lockup contract uses post-payment structure, any user can deposit tokens to the contract to initiate grace period.
Vulnerability Details
The grace period of airstream contracts exists to give opportunities for the admins to cancel the airdrops within 1 week of airdrop periods in case there happens a mistake in airdrop.
With current structure, the grace period is started when the first claim happens, also it sholdn't be started as long as the admins don't deposit funds into the contract.
However, a malicious actor can donate some funds to the contract to start grace period earlier than expected, which might causes for admins to lose opportunities to clawback before grace periods ends.
Impact
The admin of the contract might not be able to cancel the airdrop and get the token back.
Tools Used
Manual Review
Recommendations
There should be a deposit function which is callable by the admin where it starts grace period.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Grace started early by donate + claim
Grace started early by donate + claim
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.