Description: The set_merkle_root
function allows the owner to update the merkle root without any time delay or notification mechanism. This could potentially be exploited by front-running user transactions with a root change.
Lines 159-165:
Impact: If the owner maliciously or mistakenly updates the merkle root, pending user claim transactions might fail, leading to confusion and potential denial of service for legitimate claims.
Recommended Mitigation: Implement a timelock mechanism for merkle root updates:
The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.