claim() has no replay protection, so a single eligible account can claim repeatedly and drain the entire airdrop
Root + Impact
Description
claim() verifies a Merkle proof and transfers the airdrop amount, but it never records that an account has already claimed:
Because there is no mapping(address => bool) hasClaimed (or equivalent), the same (account, amount, proof) tuple stays valid forever and can be submitted any number of times. Anyone (paying only the tiny FEE each call) can repeatedly invoke claim for one eligible account, sending amount to it on every call until the contract's token balance is exhausted. This drains the tokens allocated to every other recipient - they can never claim.
Risk
Likelihood: High - the proof is public/reusable and claim is permissionless; replaying it is trivial.
Impact: High - the entire airdrop balance can be drained to a single account, depriving all legitimate recipients (direct loss of funds).
Proof of Concept
The contract is funded with 4 recipients' worth of tokens. collectorOne claims its valid leaf 4 times and walks away with the whole pool. Runnable Foundry test (add to MerkleAirdropTest.t.sol):
Run forge test --mt test_PoC_doubleClaimDrains -vv; it passes - the pool is fully drained by repeated claims.
Recommended Mitigation
Persist a per-account claimed flag and reject any repeat claim. Add a custom error, a state mapping, and set+check the flag before the external transfer (checks-effects-interactions), so even a single account can only ever receive its allocation once. The full corrected function:
Why this fixes it: the s_hasClaimed[account] write makes every leaf single-use, so replaying the same proof reverts with MerkleAirdrop__AlreadyClaimed(). Setting the flag before safeTransfer also closes any reentrancy angle. Keying on account (the leaf's identity) rather than msg.sender preserves the existing "anyone can submit on behalf of a recipient" behavior while still enforcing one claim per recipient.
Lead Judging Commences
[H-02] Eligible users can claim their airdrop amounts over and over again, draining the contract
## Description A user eligible for the airdrop can verify themselves as being part of the merkle tree and claim their airdrop amount. However, there is no mechanism enabled to track the users who have already claimed their airdrop, and the merkle tree is still composed of the same user. This allows users to drain the `MerkleAirdrop` contract by calling the `MerkleAirdrop::claim()` function over and over again. ## Impact **Severity: High**<br/>**Likelihood: High** A malicious user can call the `MerkleAirdrop::claim()` function over and over again until the contract is drained of all its funds. This also means that other users won't be able to claim their airdrop amounts. ## Proof of Code Add the following test to `./test/MerkleAirdrop.t.sol`, ```javascript function testClaimAirdropOverAndOverAgain() public { vm.deal(collectorOne, airdrop.getFee() * 4); for (uint8 i = 0; i < 4; i++) { vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } assertEq(token.balanceOf(collectorOne), 100e6); } ``` The test passes, and the malicious user has drained the contract of all its funds. ## Recommended Mitigation Use a mapping to store the addresses that have claimed their airdrop amounts. Check and update this mapping each time a user tries to claim their airdrop amount. ```diff contract MerkleAirdrop is Ownable { using SafeERC20 for IERC20; error MerkleAirdrop__InvalidFeeAmount(); error MerkleAirdrop__InvalidProof(); error MerkleAirdrop__TransferFailed(); + error MerkleAirdrop__AlreadyClaimed(); uint256 private constant FEE = 1e9; IERC20 private immutable i_airdropToken; bytes32 private immutable i_merkleRoot; + mapping(address user => bool claimed) private s_hasClaimed; ... function claim(address account, uint256 amount, bytes32[] calldata merkleProof) external payable { + if (s_hasClaimed[account]) revert MerkleAirdrop__AlreadyClaimed(); if (msg.value != FEE) { revert MerkleAirdrop__InvalidFeeAmount(); } bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(account, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert MerkleAirdrop__InvalidProof(); } + s_hasClaimed[account] = true; emit Claimed(account, amount); i_airdropToken.safeTransfer(account, amount); } ``` Now, let's unit test the changes, ```javascript function testCannotClaimAirdropMoreThanOnceAnymore() public { vm.deal(collectorOne, airdrop.getFee() * 2); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); vm.prank(collectorOne); airdrop.claim{ value: airdrop.getFee() }(collectorOne, amountToCollect, proof); } ``` The test correctly fails, with the following logs, ```shell Failing tests: Encountered 1 failing test in test/MerkleAirdropTest.t.sol:MerkleAirdropTest [FAIL. Reason: MerkleAirdrop__AlreadyClaimed()] testCannotClaimAirdropMoreThanOnceAnymore() (gas: 96751) ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.