AirDropper

AI First Flight #5

Beginner FriendlyDeFiFoundry

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing Input Validation for Zero Address and Zero Amount

muzammilmohammed678

Root + Impact

Description

The contract doesn't validate that the `airdropToken` address is not zero in the constructor, and doesn't validate that `account` and `amount` are non-zero in the `claim` function. While these would likely cause reverts elsewhere, explicit validation improves code clarity and prevents edge cases.

### Root + Impact

Missing input validation for critical parameters allows potentially invalid states or wasted gas.

```solidity

// src/MerkleAirdrop.sol:25

constructor(bytes32 merkleRoot, IERC20 airdropToken) Ownable(msg.sender) {

i_merkleRoot = merkleRoot;

i_airdropToken = airdropToken;

}

```

```solidity

// src/MerkleAirdrop.sol:30

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

```

If `airdropToken` is address(0), the contract will be deployed but all transfers will fail. If `account` is address(0) or `amount` is 0, users could waste gas on transactions that will fail or have no effect.

Risk

Likelihood:

* Deployment could accidentally use zero address for token

* Users could attempt to claim with zero address or zero amount

* These edge cases may not be caught during testing

Impact:

* Contract could be deployed in an unusable state (zero token address)

* Users waste gas on invalid transactions

* Poor user experience with unclear error messages

* Potential for accidental token burns if zero address is used

Proof of Concept

1. Constructor is called with `airdropToken = address(0)`

2. Contract deploys successfully

3. All `claim()` calls fail because `safeTransfer(address(0), amount)` will revert

4. Contract is permanently unusable

Recommended Mitigation

```diff

// src/MerkleAirdrop.sol:25-28

constructor(bytes32 merkleRoot, IERC20 airdropToken) Ownable(msg.sender) {

+ if (address(airdropToken) == address(0)) {

+ revert MerkleAirdrop__InvalidTokenAddress();

+ }

i_merkleRoot = merkleRoot;

i_airdropToken = airdropToken;

}

// src/MerkleAirdrop.sol:30-40

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

+ if (account == address(0)) {

+ revert MerkleAirdrop__InvalidAccount();

+ }

+ if (amount == 0) {

+ revert MerkleAirdrop__InvalidAmount();

+ }

if (msg.value != FEE) {

revert MerkleAirdrop__InvalidFeeAmount();

}

// ... rest of function

}

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!