Platform: Code4rena
Start Date: 27/01/2022
Pot Size: $75,000 USDT
Total HM: 6
Participants: 29
Period: 7 days
Judge: leastwood
Total Solo HM: 6
Id: 72
League: ETH
Rank: 10/29
Findings: 1
Award: $1,627.60
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: cmichel
1627.6042 USDT - $1,627.60
cmichel
The Airdrop.claim(s) functions allow claiming the airdrop tokens of other users.
While the tokens are sent to the correct address, this can lead to issues with the accounting of EOAs or smart contracts that might rely on claiming the tokens themselves.
function claimAndDoSomething(uint256 _trancheId, uint256 _balance, bytes32[] calldata _merkleProof) { uint256 claimedAmount = token.balanceOf(address(this)); airdrop.claim(address(this), _trancheId, _balance, _merkleProof); claimedAmount = token.balanceOf(address(this)) - claimedAmount; // do something with the tokens token.transfer(externalWallet, claimedAmount); }
Claiming can incur a taxable event and the timing is better left to the actual owner. If a contract is deployed to claim a tranche and it has no other functions to transfer out funds, they may be locked forever in this contract.
Do not allow users to claim on behalf of other users.