Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
AirDropper
Submissions
AI First Flight
AirDropper
AI First Flight #5
Beginner Friendly
DeFi
Foundry
EXP
AI First Flight
EXP
Mar 16th, 2026 → Mar 16th, 2026
View repo
View results
8 / 8
Submissions
Severity
Validity
Tags
Author
#1
Missing claim tracking allows eligible addresses to drain the entire airdrop by claiming multiple times
High
Valid
[H-02] Eligible users can c...
sexretxt
#2
Anyone can call MerkleAirdrop::claim() on behalf of any eligible address, enabling griefing and forced claims
High
Invalid
sexretxt
#3
Two different USDC addresses used in Deploy::run() causes MerkleAirdrop to reference a different token than the one funded, making all claims permanently fail
High
Valid
[H-01] Address of USDC toke...
sexretxt
#4
Strict equality fee check in MerkleAirdrop::claim() causes legitimate transactions to revert when wallets send slightly more than the required fee
Medium
Invalid
sexretxt
#5
Unchecked return value of IERC20.transfer() in Deploy::run() allows deployment to silently succeed with an unfunded airdrop contract
Medium
Invalid
sexretxt
#6
MerkleAirdrop::claim() violates the Checks-Effects-Interactions pattern, enabling reentrancy for tokens with transfer hooks
Low
Invalid
sexretxt
#7
MerkleAirdrop::claimFees() emits no event on withdrawal, making fee collection undetectable without parsing raw transaction data
Low
Invalid
sexretxt
#8
Deploy::deployMerkleDropper() is public instead of internal, allowing anyone to deploy arbitrary MerkleAirdrop instances from the script
Low
Invalid
sexretxt
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
