No Claim Tracking — Users Can Claim Unlimited Times
[CRITICAL-1] No Claim Tracking — Users Can Claim Unlimited Times
File: src/MerkleAirdrop.sol, function claim() (line 31–42)
Summary
The contract does not record which accounts have already claimed their airdrop. Any eligible address can call claim() repeatedly with the same valid Merkle proof to drain the entire token balance of the contract.
Vulnerability Details
The claim function verifies a Merkle proof to confirm eligibility, but never marks the claim as consumed. There is no mapping such as mapping(address => bool) public hasClaimed to prevent re-entry. As long as the contract holds tokens and the caller pays FEE each time, the same leaf in the Merkle tree can be used infinitely.
There is no hasClaimed[account] = true or similar guard anywhere in the contract.
PoC
See exploit_poc.sol and test_exploit.t.sol in this audit-results folder.
Impact
-
Complete token drain. Any eligible address with a valid proof can claim the full contract balance.
-
With 4 eligible addresses × 25 USDC = 100 USDC total, any single eligible user can drain all 100 USDC.
-
Only the
FEE(1e9 wei ≈ 0.000000001 ETH) acts as a trivial financial barrier. -
The airdrop is entirely broken — non-targeted users receive nothing.
Tools Used
-
Manual analysis
-
Static analysis (Slither pattern: missing state update before/after external call)
Recommendations
Add a claimed mapping and check before transferring:
Lead Judging Commences
[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract
## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.