AirDropper

AI First Flight #5

Beginner FriendlyDeFiFoundry

EXP

View results

Submission Details

Severity: high

Valid

[H] Users can claim airdrop rewards repeatedly.

huicanvie

Root + Impact

Description

Users can only claim their own airdrop rewards.
When calling the claim function, because there's no record of whether it has already been claimed, the same user can claim it multiple times.

// Root cause in the codebase with @> marks to highlight the relevant section

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

if (msg.value != FEE) {

revert MerkleAirdrop__InvalidFeeAmount();

}

//@> Missing a check to determine whether the current account has already claimed (received) it.

//@> Causes an account to be executed multiple times.

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));

}

Risk

Likelihood:

The vulnerability allows any user with valid proof to repeatedly claim the airdrop, theoretically enabling the first user to drain all assets from the contract. If this user is the last to claim and the balance has already been fully claimed normally, no additional assets can be stolen. However, in actual deployment and airdrop scenarios, attackers can easily perform the operation first, causing all assets to be stolen by a single user. This is a high-risk business logic vulnerability.

Impact:

Because the contract doesn't record claim status, any user with valid proof can repeatedly claim the airdrop. The first user to act can drain all the assets in the contract, preventing other users from claiming and resulting in the project party losing all its assets.

Proof of Concept

The attacker only needs to claim first to repeatedly claim all airdrop assets.
There are already 4 lucky users, so the first claimant can execute the claim 4 times.
You can compare the USDC balance of the airdrop.
Finally, the USDC balance of the airdrop was emptied and all stolen.

function test_Poc_userCanClaimMultipleTimes() public {

vm.deal(collectorOne, airdrop.getFee() * 4);

uint256 startingBalance = token.balanceOf(collectorOne);

console.log("Starting Balance: ", startingBalance);

console.log("Starting Airdrop Balance: ", token.balanceOf(address(airdrop)));

vm.startPrank(collectorOne);

airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof);

vm.stopPrank();

uint256 endingBalance = token.balanceOf(collectorOne);

console.log("Ending Balance: ", endingBalance);

console.log("Ending Airdrop Balance: ", token.balanceOf(address(airdrop)));

assertEq(endingBalance - startingBalance, amountToCollect * 4);

}

[PASS] test_Poc_userCanClaimMultipleTimes() (gas: 135642)

Logs:

Starting Balance: 0

Starting Airdrop Balance: 100000000

Ending Balance: 100000000

Ending Airdrop Balance: 0

Recommended Mitigation

Add a mapping to record who has already claimed.

+ error MerkleAirdrop__AlreadyClaimed();

+ mapping(address => bool) private s_hasClaimed;

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {

if (msg.value != FEE) {

revert MerkleAirdrop__InvalidFeeAmount();

}

+ if (s_hasClaimed[account]) {

+ revert MerkleAirdrop__AlreadyClaimed();

+ }

// ...

i_airdropToken.safeTransfer(account, amount);

+ s_hasClaimed[account] = true;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract

## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!