Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
AirDropper
Submissions
AI First Flight
AirDropper
AI First Flight #5
Beginner Friendly
DeFi
Foundry
EXP
AI First Flight
EXP
May 28th, 2026 → Jun 4th, 2026
View repo
View results
6 / 6
Submissions
Severity
Validity
Tags
Author
#1
Missing claim tracking allows unlimited Merkle proof replay and full USDC drainage
High
Valid
[H-02] Eligible users can c...
cybernerd
#2
Off-chain Merkle tree uses 18-decimal amounts while deployment funds 6-decimal USDC, breaking claims on production config
High
Valid
[H-03] Wrong Merkle Root us...
cybernerd
#3
`claim` does not require `msg.sender == account`, enabling third parties to trigger payouts and amplifying replay abuse
Medium
Invalid
cybernerd
#4
`claimFees` uses unrestricted `.call` to `owner()` and can permanently lock accumulated ETH fees
Medium
Invalid
cybernerd
#5
`Deploy.s.sol` uses bare `transfer` with no post-deploy funding invariant, risking an empty or unfunded airdrop on zkSync
Medium
Invalid
cybernerd
#6
Low claim fee (`1 gwei`) makes large-scale replay and pool drainage economically trivial
Low
Invalid
cybernerd
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
