AirDropper

AI First Flight #5

Beginner FriendlyDeFiFoundry

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

Unclaimed airdrop tokens are permanently locked: claimFees withdraws only ETH, and there is no token rescue path

sub99

No recovery path for undistributed airdrop tokens permanently locks unclaimed allocations in the contract

Description

The contract is funded with i_airdropToken, and tokens can only leave through claim(). claimFees() sweeps only ETH (address(this).balance) to the owner, so any airdrop tokens belonging to accounts that never claim are stuck forever.

function claimFees() external onlyOwner {

(bool succ,) = payable(owner()).call{ value: address(this).balance }(""); // @> only sweeps ETH; no token rescue

if (!succ) {

revert MerkleAirdrop__TransferFailed();

}

(src/MerkleAirdrop.sol:42-47)

Risk

Likelihood: Low

Real airdrops almost always have a non-zero unclaimed tail (lost keys, inactive users, abandoned addresses). The condition for stranded value is normal, but it requires those recipients to simply not claim, which is outside an attacker's control.

Impact: High

The undistributed i_airdropToken balance becomes permanently unrecoverable. For a large campaign this can mean a substantial, indefinitely frozen amount of value with no administrative path to reclaim or redistribute it.

Proof of Concept

After some recipients claim and others do not, the owner has no function to retrieve the leftover token balance.

function test_unclaimedTokensLocked() public {

airdrop.claim{value: airdrop.getFee()}(accountA, amountA, proofA);

// accountB never claims; tokens for B remain in the contract

uint256 stuck = token.balanceOf(address(airdrop));

assertGt(stuck, 0);

// no onlyOwner function exists to move `stuck` out -> permanently locked

}

Recommended Mitigation

Add an onlyOwner rescue for the airdrop token, ideally gated behind a claim deadline.

function claimFees() external onlyOwner {

(bool succ,) = payable(owner()).call{ value: address(this).balance }("");

if (!succ) {

revert MerkleAirdrop__TransferFailed();

}

+ function rescueAirdropTokens(address to, uint256 amount) external onlyOwner {

+ // require(block.timestamp > i_claimDeadline);

+ i_airdropToken.safeTransfer(to, amount);

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!