Unable to receive airdrop due to account abstraction
Contest
Selected Submission
Unable to receive airdrop due to account abstraction
Severity
High Risk
Relevant GitHub Links
https://github.com/Cyfrin/2024-04-airdropper/blob/781cf225664a4ad11e9654aaa39cc528016bf214/src/MerkleAirdrop.sol#L30
Summary
The users that use account abstraction wallets have different addresses across chains for the same account.
Vulnerability Details
In the docs is said:
"Our team is looking to airdrop 100 USDC tokens on the zkSync era chain to 4 lucky addresses based on their activity on the Ethereum L1. The Ethereum addresses are:
0x20F41376c713072937eb02Be70ee1eD0D639966C
0x277D26a45Add5775F21256159F089769892CEa5B
0x0c8Ca207e27a1a8224D1b602bf856479b03319e7
0xf6dBa02C01AF48Cf926579F77C9f874Ca640D91D"
The user can claim his/her USDC tokens through the MerkleAirdrop::claim function. This function requires account, amount and proof array. With the help of this three arguments the merkle proof will ensure that the caller is eligible to claim. But in the generated merkle root are used the Ethereum addresses of the lucky users. But the protocol will be deployed on the zkSync era chain. If any of them uses account abstraction wallet, this lucky user will not be able to claim his/her tokens. The account abstraction wallets have different addresses in the different chains for the same account.
Impact
The users that use account abstraction wallets have different addresses on the zkSync era chain. That means these users will not be able to claim their USDC tokens, because the merkle root will require another account address (this on Ethereum).
Tools Used
Manual Review
Recommendations
Ensure that the addresses in makeMerkle file for the lucky users are their addresses for the zkSync era chain.