Submission Details
Severity:
Users can claim multiple times with different total amounts via valid Merkle proofs, leading to token over-issuance
Summary: Users can claim multiple times with different total amounts via valid Merkle proofs, leading to token over-issuance
Vulnerability Details : The contract tracks cumulative claimed amounts per user but doesn't store their total allocation. This allows users to submit multiple claims with different total_amount values (each with a valid Merkle proof), accumulating their claimed amounts beyond their actual entitlement.
Impact: High. Attackers could drain the contract's funds if they generate valid proofs for higher amounts.
Tools Used: Manual review
Recommendations : Store the user's total allocated amount upon the first successful claim and validate subsequent claims against this stored value
Rewards breakdown
nSLOC
127This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.