Skip to content

Anyone can claim airdrop amounts on behalf of anyone #107

Open
Open
Anyone can claim airdrop amounts on behalf of anyone#107
Labels
1 (Low Risk)Assets are not at risk. State handling, function incorrect as to spec, issues with commentsbugSomething isn't workingsponsor acknowledgedTechnically the issue is correct, but we're not going to resolve it for XYZ reasons
@code423n4

Description

@code423n4
code423n4
opened on Jan 31, 2022

Handle

cmichel

Vulnerability details

The Airdrop.claim(s) functions allow claiming the airdrop tokens of other users.
While the tokens are sent to the correct address, this can lead to issues with the accounting of EOAs or smart contracts that might rely on claiming the tokens themselves.

function claimAndDoSomething(uint256 _trancheId, uint256 _balance, bytes32[] calldata _merkleProof) {
    uint256 claimedAmount = token.balanceOf(address(this));
    airdrop.claim(address(this), _trancheId, _balance, _merkleProof);
    claimedAmount = token.balanceOf(address(this)) - claimedAmount;
    // do something with the tokens
    token.transfer(externalWallet, claimedAmount);
}

Impact

Claiming can incur a taxable event and the timing is better left to the actual owner.
If a contract is deployed to claim a tranche and it has no other functions to transfer out funds, they may be locked forever in this contract.

Recommended Mitigation Steps

Do not allow users to claim on behalf of other users.

Metadata

Metadata

Assignees

No one assigned

    Labels

    1 (Low Risk)Assets are not at risk. State handling, function incorrect as to spec, issues with commentsbugSomething isn't workingsponsor acknowledgedTechnically the issue is correct, but we're not going to resolve it for XYZ reasons

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions