c4-judge
commented
6 months ago jhsagd76 marked the issue as satisfactory
Open c4-bot-8 opened 6 months ago
c4-judge
commented
6 months ago jhsagd76 marked the issue as satisfactory
c4-judge
commented
6 months ago jhsagd76 marked the issue as confirmed for report
Lines of code
Vulnerability details
C4 issue
None
Comments
Previously, the admin of the Neuron contract could setup airdrops by approving NRN amounts to users using
Neuron::setupAirdrop. This was potentially problematic, because airdropping lots of addresses would be a gas intensive operation for the admin account.Mitigation
PR #16 Setting up airdrops has been modified to use merkle trees. Instead of directly approving addresses to claim NRN from the treasury, the admin now sets a merkle root calling
Neuron::setMerkleRootand then users can use a merkle proof toNeuron::claimthe airdropped amount. This new mechanism slightly increases the gas cost for claiming while significantly reduces the gas cost of setting the airdrop.The state variable
rootClaimedAirdropcorrectly keeps track of claims and it's possible to setup several airdrops.Suggestion
In
Neuron::claim, use_transfer()directly instead of using_approve()+transferFrom(). The latter increases the allowance and then removes it, which is equivalent to simply_transfer()the tokens.Conclusion
LGTM