AirDropper
AI First Flight #5
Beginner FriendlyDeFiFoundry
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

hasClaimed Mapping Allows Unlimited Replay of Any Valid Proof, Draining All Tokens

sergios

Description

  • The claim function distributes tokens to eligible addresses by verifying a Merkle proof and charging a small ETH fee per call.

  • No state variable is written after a successful claim — there is no hasClaimed[account] mapping or any equivalent. Since the Merkle proof verification is
    purely deterministic, the same (account, amount, proof) triple passes every subsequent call identically, transferring amount tokens each time until the contract
    balance reaches zero.

// src/MerkleAirdrop.sol

function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
if (msg.value != FEE) {
revert MerkleAirdrop__InvalidFeeAmount();
}
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert MerkleAirdrop__InvalidProof();
}
emit Claimed(account, amount);
@> i_airdropToken.safeTransfer(account, amount);
// @> No storage write anywhere in this function.
// @> hasClaimed[account] is never set — proof remains valid for every future call.
}

Risk

Likelihood:

  • The Merkle tree data (addresses, amounts, proofs) is publicly derivable from the off-chain tree.json file published alongside the contract — any observer has
    everything required to execute the attack from the moment the contract is funded.

  • The cost per replay is 1 gwei + gas, which is orders of magnitude less than the value of 25 USDC per call — the attack is profitable from the very first
    replay.

Impact:

  • The entire token balance (100 USDC) can be drained in a single transaction loop for approximately 4 gwei total, leaving the other three eligible addresses with
    nothing to claim.

  • The protocol's stated distribution goal — 25 USDC each to 4 specific addresses — is completely defeated; one party captures the entire allocation through
    mechanical replay.

Proof of Concept

function test_H02_ReplayDrainsEntireContract() public {
uint256 contractBalanceBefore = token.balanceOf(address(airdrop));
// contractBalanceBefore = 4 * 25e6 = 100e6

  // Attacker pays 4 × 1 gwei = 4 gwei to drain 100 USDC
  vm.deal(collectorOne, airdrop.getFee() * 4);
  vm.startPrank(collectorOne);

  // Same (account, amount, proof) replayed 4 times — all succeed
  airdrop.claim{value: airdrop.getFee()}(collectorOne, amountToCollect, proof);
  airdrop.claim{value: airdrop.getFee()}(collectorOne, amountToCollect, proof);
  airdrop.claim{value: airdrop.getFee()}(collectorOne, amountToCollect, proof);
  airdrop.claim{value: airdrop.getFee()}(collectorOne, amountToCollect, proof);
  vm.stopPrank();

  assertEq(token.balanceOf(address(airdrop)), 0);        // fully drained
  assertEq(token.balanceOf(collectorOne), amountToCollect * 4); // 4× intended amount

}

Recommended Mitigation

  • mapping(address => bool) private s_hasClaimed;

  • error MerkleAirdrop__AlreadyClaimed();

    function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable {
    if (msg.value != FEE) {
    revert MerkleAirdrop__InvalidFeeAmount();
    }

  • if (s_hasClaimed[account]) {

  •     revert MerkleAirdrop__AlreadyClaimed();

  • }
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
    revert MerkleAirdrop__InvalidProof();
}

  • s_hasClaimed[account] = true;
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);

    }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract

## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!