Merkle root cannot be updated since the logic for this operation is missing in the smart contract

Description

• Normal behavior: After the airdrop is finished, the owner might want in the future to airdrop to different accounts some tokens. This is normally achieved by a mechanism restricted only to the owner to update the merkle root with a new one.

• Issue: In the MerkleAirdrop.solthere is an unused event called event MerkleRootUpdated. It is supposed to be emitted when the merkle root is updated but the code for updating the root is not present.

  @> event MerkleRootUpdated(bytes32 newMerkleRoot); //@audit H-1 Unused event planned to be emitted when merkle root is updated

  ​

Risk

Likelihood:

• Likelihood: medium: This can only occur if the owner decides that he wants to airdrop tokens to new accounts or after the airdrop is finished , the owner wants later at some point in time to airdrop to different accounts.

Impact:

• Impact: High. Contract is only working for the current merkle root and there is no mechanism to update it which means this contract can be used only one time for airdropping usdc to the selected 4 accounts.

Proof of Concept

1. The 4 selected claimer accounts claim their airdrop.

2. Time passes and the owner has another airdrop of USDC to different accounts

3. Now this is impossible to be achieved since the smart contract doesn not have a function to update the merkle root

Recommended Mitigation

Consider including a new function that is controlled only from the owner for updating the storage of the merkle root