audit: claim contracts#2288
Open
JuArce wants to merge 1 commit into
Open
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
MarcosNicolau
approved these changes
Jun 29, 2026
JuArce
marked this pull request as ready for review
July 14, 2026 13:08
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the findings from the two security audits of
ClaimableAirdrop.sol(FuzzingLabs and Least Authority), both included underaudits/claim_contracts/. All actionable findings are fixed in this single PR, and the contract now ships with a test suite.Audit findings addressed
transferFromused without SafeERC20Changes
Contract (
src/ClaimableAirdrop.sol)renounceOwnership()override that reverts, matchingAlignedToken, so the owner can't brick the airdrop by renouncing.SafeERC20, addusing SafeERC20 for IERC20, and replace bothtransferFrom+ bool-check blocks inclaim/claimBatchwithsafeTransferFrom. Robust to non-standard/no-return-data tokens (relevant sincetokenProxyis an upgradeable proxy).updateMerkleRoot, and claims are effectively first-come-first-served if the distributor is underfunded.Compiler (FL-AL-4)
0.8.35inClaimableAirdrop.solandAlignedToken.sol, and pinnedsolc_version = "0.8.35"infoundry.toml. Both contracts share dependencies and are imported together by the deploy scripts, so they must compile under a single version. The token is not being redeployed; the bump is a hygiene measure.Test suite (LA-2)
test/ClaimableAirdrop.t.sol— 24 tests, covering: initialization, allclaimrevert branches (pause, deadline, vesting, double-claim, invalid proof, wrong amount, non-entitled caller),claimBatch(success, length mismatch, empty batch, duplicate leaf), access control (owner-only, requires-paused, renounce-reverts), and the SafeERC20 path (false-returning token + failed-transfer leaving the leaf claimable for retry).test/fixtures/generator/) uses the samemerkle-tree-rsrevision and leaf encoding as the production proof generator (aligned_airdrop_web/merkle_proof_generator) to producetest/fixtures/proofs.json. The tests load that fixture and verify the on-chain verifier against real generator output. The Rust toolchain is only needed to regenerate the fixture (seetest/fixtures/README.md), never to run the tests.Fix details (code links)
Permalinks point at the applied code as of commit
28a2a0b.FL-AL-1 — Prevent ownership renouncement
renounceOwnership()override that reverts:ClaimableAirdrop.solL216-L221test_renounceOwnership_revertsFL-AL-2 — SafeERC20
ClaimableAirdrop.solL5 ·usingdirective: L31claim→safeTransferFrom: L109 ·claimBatch: L142-L146test_claim_revertsWhenTokenReturnsFalse·test_claim_failedTransferDoesNotStrandLeafFL-AL-3 / LA-1 — Document edge cases
ClaimableAirdrop.solL15-L23FL-AL-4 — Compiler bump to 0.8.35
ClaimableAirdrop.solL2 ·AlignedToken.solL2 ·foundry.tomlL8LA-2 — Test suite
test/ClaimableAirdrop.t.sol(24 tests) — multi-leaf coverage e.g.test_claim_fixtureProofs_allClaim,test_claimBatch_revertsOnDuplicateLeaf,test_claimBatch_revertsOnEmptyBatchmerkle-tree-rs):test/fixtures/generator/src/main.rs→ committed fixturetest/fixtures/proofs.jsonNotes for reviewers
AlignedToken.solwas out of scope for the audits but is bumped to0.8.35to keep the project compiling under a single compiler (the deploy scripts import both contracts).Testing
forge build --force— compiles cleanly on solc 0.8.35.forge test— 24 passed, 0 failed.