Open sherlock-admin4 opened 1 month ago
https://github.com/sherlock-audit/2024-08-flayer/blob/0ec252cf9ef0f3470191dcf8318f6835f5ef688c/flayer/src/contracts/utils/AirdropRecipient.sol#L102 Because this is an admin-operated function, it cannot be assumed that the admin mistakenly set the same _merkle to true for different _claimType. The _merkle and _claimType are one-to-one correspondences, so it cannot be assumed that a single _merkle contains two or more _claimType for airdrops. Therefore, if (!merkleClaims[_merkle][_claimType]) revert MerkleRootNotValid(); will revert.
The claim type is better defined in the merkle tree schema. This issue is Low/Info.
Actually @ZeroTrust01 I believe the statement "it cannot be assumed that the admin mistakenly set the same _merkle to true for different _claimType." could be wrong, because as described here https://github.com/sherlock-audit/2024-08-flayer-judging/issues/332 We have a test that shows that its 100% intended to have multiple ClaimTypes for the same merkle root, example - test_CannotDistributeExistingMerkle()
Edit: regarding the rules tests are indeed not considered source of truth and I agree this issue should be invalid
ctf_sec
High
Fund in airdrop distribution contract can be stolen because the claim type is not in the merkle tree schema
Summary
the merkle claim schema is:
and the logic for claim airdrop is
the root cause is that the claim type is not in the node schema.
consider the case:
the airdrop contract hold 100 ETH and 10000 USDC.
the user is entitled to 100 USDC airdrop, the user get the merkle proof and the MerkleClaim
both
consider the case Enums.ClaimType.NATIVE and Enums.ClaimType.ERC20 is enabled.
then user while user should input Enums.ClaimType.ERC20 and get the 100 USDC airdrop,
user can use the same claim node to input Enums.ClaimType.NATIVE and steal all 100 ETH.
Vulnerability Detail
Impact
lose of fund
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/0ec252cf9ef0f3470191dcf8318f6835f5ef688c/flayer/src/contracts/utils/AirdropRecipient.sol#L121
Tool used
Manual Review
Recommendation
Change the code to include the claim type in the merkle tree node schema.