MrToph
commented
2 years ago While this same code has been used in other projects, the key difference here is that the leaf nodes (recipient addresses) have been chosen by wardens (potential adversaries)
Good point but the leaf nodes are keccak(recipient, amount) where the claim amount has been chosen by the C4 team, does this prevent this?
If I understand your attack correctly, the attacker would do:
- h1 = keccak(attacker1, uint256.max)
- h2 = keccak(attacker2, uint256.max)
- h = keccak(h1, h2) and then choose and submit a recipient address (for airdrop inclusion) such that
h == keccak(recipient, amount)whereamountwas chosen by the C4 team. They'd need to find a second preimage(recipient, amount) != (h1, h2)which goes against the collision resistance of keccak?
Austin-Williams
The merkle proof code does not check the length of the proofs, and so it is susceptible to a tree-extension attack (or second-preimage attack).
While this same code has been used in other projects, the key difference here is that the leaf nodes (recipient addresses) have been chosen by wardens (potential adversaries), whereas in other projects the leaf nodes are addresses grabbed from historical blockchain data (not chosen by potential adversaries).
This means a malicious airdrop receiver could have given you a malicious bytes32 "address" which is actually its own merkle root for a tree of addresses that the attacker controls. If you used such a malicious address as a leaf in your merkle tree, it would allow the attacker to generate arbitrarily many valid proofs for addresses they control.
After computing your merkle tree and learning its depth -- and before deploying these contracts -- I recommend adding a
require(merkleProof.length == treeDepth, 'invalid proof')just above this line.