AirDropper

AI First Flight #5
Beginner FriendlyDeFiFoundry
EXP
View results
Submission Details
Impact: medium
Likelihood: high
Invalid

Params logic error

Params logic error in Claim()

Description

  • In claim function we take as a parameter address account then we transfer to this address money but the problem is msg.sender could be differenet than address account which leads to loss of control.

// Root cause in the codebase with @> marks to highlight the relevant section?
@> function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
} //audit-high, could claim many times, no checks, leads to drain all other eligable users funds
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
@> i_airdropToken.safeTransfer(account, amount);
}

Risk

Likelihood: High

It occurs every time msg.sender pass other address as account


Impact: Medium

It leads to loss of control beacause the real owner of this funds doesnt have control over his funds.

Proof of Concept
In this case user just call claim function with collectorOne as a account parameter and as we can see he claim funds even if it wasnt his.

function testProofOfCodeLossOfControl() public {
address user = makeAddr("user");
vm.deal(user, airdrop.getFee());
vm.startPrank(user);
airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);
vm.stopPrank();
console.log(token.balanceOf(collectorOne));
}
Ran 1 test for test/MerkleAirdropTest.t.sol:MerkleAirdropTest
[PASS] testProofOfCodeLossOfControl() (gas: 76647)
Logs:
25000000

Recommended Mitigation

Check if account == msg.sender otherwise revert

- remove this code
+ add this code
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
+ if(account != msg.sender){
+ revert()
+}
} //audit-high, could claim many times, no checks, leads to drain all other eligable users funds
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount); //audit-low, account could be a different then msg.sender
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 13 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!