🧲Repeated Airdrop Claims Vulnerability

Airdrop contracts are commonly used in blockchain ecosystems to distribute tokens to a wide user base. However, if the contract isn't designed securely, certain vulnerabilities can allow malicious users to exploit the system. One such vulnerability occurs when a user is able to claim their airdrop tokens repeatedly, draining the contract of funds. This issue arises when there are insufficient validation checks to prevent users from "revalidating" their airdrop after they've already claimed it.

In this tutorial, we’ll explore how this type of vulnerability works, how it can be exploited, and what can be done to mitigate it.

The Vulnerability: Repeated Airdrop Claims

This vulnerability occurs when a user who has already claimed their airdrop can bypass validation checks and reset their eligibility to claim tokens again. Once reset, they are able to claim additional tokens from the airdrop, as long as there are still funds in the contract. This effectively allows malicious users to drain the contract by claiming more than they were originally allocated.

Vulnerability Example:

Let's consider the following example of an airdrop contract:

function claimExact(uint256 _value) external nonReentrant {
    require(msg.sender != address(0), "Invalid address");
    require(airdrop[msg.sender].amount != 0, "No airdrop available");

    uint256 avail = _availableSupply();
    uint256 claimable = avail * airdrop[msg.sender].fraction / 10**18;
    
    if (airdrop[msg.sender].claimed != 0) {
        claimable -= airdrop[msg.sender].claimed;
    }

    require(airdrop[msg.sender].amount >= claimable, "Insufficient airdrop");
    require(_value <= claimable, "Claim value exceeds claimable");

    airdrop[msg.sender].amount -= _value;
}

In this function:

• The user is allowed to claim a specific amount (_value) from their airdrop allocation.

• Once the full airdrop amount is claimed, the airdrop[msg.sender].amount is set to 0.

However, a separate function, validate(), is responsible for resetting and updating a user's airdrop information, which can inadvertently allow them to claim more tokens:

function validate() external nonReentrant {
    require(airdrop[msg.sender].amount == 0, "Already validated");

    Airdrop memory newAirdrop = Airdrop(airdroppable, 0, airdroppable, 10**18 * airdroppable / totalSupply);
    airdrop[msg.sender] = newAirdrop;
}

The issue here is that after claiming all of their airdrop tokens (setting airdrop[msg.sender].amount to 0), the user can call the validate() function again. This resets their airdrop information and effectively allows them to claim tokens repeatedly, as the claimed amount is also reset in the process.

Proof of Exploit:

1. Claim Airdrop: The user calls claimExact() to claim their tokens, reducing their airdrop[msg.sender].amount to 0.

2. Revalidate: The user then calls validate(), which resets the airdrop[msg.sender] structure with new values, allowing them to claim more tokens as though they never claimed in the first place.

3. Claim Again: The user can now repeat the process to claim more tokens, essentially draining the contract.

Impact: Why This is Dangerous

The ability for users to claim their airdrop multiple times has several critical implications:

1. Contract Draining: If a user can reset their airdrop eligibility and claim tokens repeatedly, they can drain the entire airdrop contract, stealing tokens that should have been allocated to other users.

2. Fairness Violations: Airdrops are typically designed to distribute tokens fairly to a large user base. Allowing certain users to claim more than their allocated share undermines the fairness of the distribution process.

3. Loss of Trust: Projects that suffer from such vulnerabilities may lose the trust of their user base, as users who miss out on their rightful airdrop allocations are likely to feel cheated.

---

Mitigation: Preventing Repeated Airdrop Claims

The primary goal of the mitigation is to ensure that once a user has claimed their tokens, they cannot reset their eligibility and claim again. Here are some key steps that should be implemented:

1. Track Validation Status

One of the most effective mitigations is to track whether a user has already been validated and prevent them from calling validate() again after they’ve been validated once.

mapping(address => bool) public validated;

function validate() external nonReentrant {
    require(validated[msg.sender] == false, "Already validated");

    Airdrop memory newAirdrop = Airdrop(airdroppable, 0, airdroppable, 10**18 * airdroppable / totalSupply);
    airdrop[msg.sender] = newAirdrop;
    validated[msg.sender] = true;
}

By checking the validated status and ensuring it cannot be reset, users cannot revalidate their eligibility after they've already claimed their tokens.

Conclusion

The ability for users to claim their airdrop repeatedly is a serious vulnerability that can result in the draining of funds from a smart contract. By ensuring that users cannot reset their eligibility once they’ve claimed their tokens, developers can prevent this issue from occurring. Tracking validation status, properly managing claim states, and ensuring that validation logic is restricted to valid users are key steps in mitigating this type of attack.

Implementing these strategies ensures that airdrops are distributed fairly and securely, preserving the integrity of the token distribution process.