Description

The airdrop contract contains a critical race condition vulnerability where the user's token balance is read at claim time to generate the merkle leaf, rather than using a predetermined allocation amount. This creates a vulnerability where users can manipulate their balance between the merkle proof generation and the actual claim execution.

Risk

Likelihood: HIgh

• The balance check occurs at runtime during the claim transaction

• No time locks or balance snapshots prevent manipulation

• Attackers can front-run their own transactions to optimize timing

• The vulnerability can be exploited repeatedly by different users

Impact:

• Protocol Failure: The entire airdrop mechanism becomes unreliable and exploitable

• Fund Drainage: Contract may fail to collect the intended tokens from users

Root cause

The contract dynamically calculates the merkle leaf using current balance instead of the predetermined allocation amount that was used to build the original merkle tree.

Proof of Concept

Setup Phase:

• Alice is allocated 100 tokens in the merkle tree

• Alice approves the airdrop contract for 100 tokens

• Merkle tree contains leaf: keccak256(abi.encode(alice, 100))

Manipulation Phase:

• Alice transfers 50 tokens to Bob

• Alice's balance drops to 50 tokens

• Approval remains at 100 tokens (sufficient for transfer)

Claim Attempt:

• Contract reads i_snow.balanceOf(alice) = 50

• Contract generates leaf: keccak256(abi.encode(alice, 50))

• Merkle proof verification fails (proof was for amount=100, not amount=50)

• Transaction reverts with SA__InvalidProof()

Security Implication: This test reveals that users cannot claim if they reduce their balance, but more importantly, it shows the contract's merkle verification is unreliable and dependent on mutable state rather than immutable allocations.

Recommended Mitigation

Implement Fixed Allocation Parameter with Balance Validation :