Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
AirDropper
Submissions
AI First Flight
AirDropper
AI First Flight #5
Beginner Friendly
DeFi
Foundry
EXP
AI First Flight
EXP
Apr 6th, 2026 → Apr 6th, 2026
View repo
View results
9 / 9
Submissions
Severity
Validity
Tags
Author
#1
claim() has no s_hasClaimed guard, allowing any eligible address to drain the entire airdrop by claiming repeatedly
High
Valid
[H-02] Eligible users can c...
virgilbb
#2
Deploy.s.sol funds the airdrop from a different USDC address than the one stored in the contract, leaving the contract permanently unfunded
High
Valid
[H-01] Address of USDC toke...
virgilbb
#3
Deploy.s.sol uses a Merkle root built for 25e18 amounts but funds the contract with 25e6 USDC, making every claim permanently impossible
High
Valid
[H-03] Wrong Merkle Root us...
virgilbb
#4
Merkle tree uses Ethereum L1 addresses but contract deploys on zkSync Era where account abstraction wallets have different addresses, locking affected users out permanently
High
Valid
[H-04] Unable to receive ai...
virgilbb
#5
claim() takes account as a caller-supplied parameter, allowing anyone to trigger a claim on behalf of any eligible address
Medium
Invalid
virgilbb
#6
claim() emits Claimed before safeTransfer, violating CEI and enabling off-chain listeners to observe false claim events
Low
Invalid
virgilbb
#7
Merkle leaf encodes only (account, amount) with no chainId or contract address, allowing a valid proof from one deployment to replay on any other deployment sharing the same root
Medium
Invalid
virgilbb
#8
claimFees() sends accumulated ETH to owner() via a low-level call with no fallback; if owner is a non-payable contract, all fee ETH is permanently locked
Medium
Invalid
virgilbb
#9
MerkleRootUpdated event is declared but never emitted — dead code that implies a non-existent merkle root update mechanism
Low
Invalid
virgilbb
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
