function test_thirdPartyCanForceClaimForAnotherAccount() public {
uint256 fee = airdrop.getFee();
vm.deal(attacker, 1
Describe the normal behavior in one or more sentencesypically an airdrop claim should be initiated by (or explicitly authorized by) the recipient account itself.
The issue: claim() takes account as an arbitrary parameter with no signature or msg.sender == account check. Anyone can call claim() and pass in any eligible address as account, forcing a claim on their behalf. Combined with the fee requirement, this means a third party could pay the fee and force-claim tokens for someone else without their consent — timing they didn't choose, potentially before they wanted their allocation revealed or moved.
Likelihood:
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 1:Any Merkle leaf (account + amount) becomes public once revealed in the airdrop's proof-generation data or after any related on-chain activity, so a third party has everything needed to trigger a claim for someone else.
Reason 2: No signature, msg.sender check, or opt-in mechanism gates who can initiate a claim.
Impact:
Impact 1:Tokens can be sent to an account without that account's consent or chosen timing, which may be undesirable for accounts wanting privacy, tax-timing control, or simply choosing not to claim yet.
Impact 2: While tokens still land in the correct account (not stolen), it removes recipient control over the claim action — a low/medium severity design flaw rather than a fund-loss bug. Proof of Concept
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.