AirDropper
AI First Flight #5
Beginner FriendlyDeFiFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Users can claim multiple times due to lack of claiming tracking, draining the entire airdrop contract

zmettalz

Lack of claiming tracking enables draining funds

Description

  • The contract is designed to allow users to claim their airdrop allocation once by providing a valid Merkle proof that verifies their address and amount against the stored Merkle root.

  • The contract does not record which addresses have already claimed tokens, allowing the same address to call claim() multiple times with the same valid proof and drain the entire contract balance.

// src/MerkleAirdrop.sol
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
@> // Missing: No check if address has already claimed
@> // Missing: No tracking of claimed addresses
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
}

Risk

Likelihood:

  • Any user with a valid Merkle proof can trivially exploit this vulnerability by calling the public claim() function multiple times

  • The Merkle proofs and amounts are publicly visible on-chain through emitted events, making it easy for anyone to replay valid claims

Impact:

  • Complete loss of all tokens in the airdrop contract (100% of funds can be stolen)

  • Legitimate users are unable to claim their entitled allocation, resulting in total failure of the airdrop distribution

Proof of Concept

The following test demonstrates how an attacker can drain the entire airdrop contract by repeatedly calling the claim() function with the same valid Merkle proof. Place this test in your test file and run with forge test --match-test test_DrainEntireAirdrop -vvvv:

function test_DrainEntireAirdrop() public {
// Setup: Airdrop has 1000 tokens, attacker is entitled to 100
uint256 airdropInitialBalance = 1000e18;
uint256 attackerAllocation = 100e18;
token.mint(address(airdrop), airdropInitialBalance);
console.log("Airdrop initial balance:", airdropInitialBalance);
console.log("Attacker allocation:", attackerAllocation);
// Attacker claims 10 times with the same valid proof
for (uint256 i = 0; i < 10; i++) {
vm.prank(attacker);
airdrop.claim{value: FEE}(attacker, attackerAllocation, validProof);
}
// Attacker now has 1000 tokens (10x their allocation)
assertEq(token.balanceOf(attacker), attackerAllocation * 10);
console.log("Attacker final balance:", token.balanceOf(attacker));
// Contract is completely drained
assertEq(token.balanceOf(address(airdrop)), 0);
console.log("Contract drained - all users' tokens stolen");
}

Explanation: This test shows that an attacker who is legitimately entitled to 100 tokens can claim 10 times in a loop, receiving 1000 tokens total (the entire airdrop balance). Each iteration of the loop successfully passes all validation checks because the contract never records that the address has already claimed. This leaves the contract with zero balance and prevents all other legitimate users from claiming their allocations.

Recommended Mitigation

Add a state variable to track claimed addresses and verify it before processing any claim:

+ mapping(address => bool) private s_hasClaimed;
+ error MerkleAirdrop__AlreadyClaimed();
function claim(address account, uint256 amount, bytes32[] calldata merkleProof)
external
payable
{
+ if (s_hasClaimed[account]) {
+ revert MerkleAirdrop__AlreadyClaimed();
+ }
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
+ s_hasClaimed[account] = true;
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
}

Explanation: The mitigation introduces a mapping(address => bool) to track which addresses have claimed. Before processing any claim, the function checks if s_hasClaimed[account] is true and reverts if so. After all validations pass, the mapping is updated to true BEFORE the token transfer (following the Checks-Effects-Interactions pattern). This ensures that even if the transfer triggers a callback, the claim cannot be re-entered. Additionally, add a view function to allow users to check claim status:

function hasClaimed(address account) external view returns (bool) {
return s_hasClaimed[account];
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract

## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!