Omniscia AllianceBlock Audit

MerkleDistributorWithDeadline Manual Review Findings

MerkleDistributorWithDeadline Manual Review Findings

MDW-01M: Ambiguous Contract State

TypeSeverityLocation
Logical FaultMerkleDistributorWithDeadline.sol:L23, L28

Description:

The endTime variable of the MerkleDistributorWithDeadline contract is ambiguously utilized in the claim and withdraw functions as a state of block.timestamp == endTime disallows both operations from being executed.

Impact:

While of no security concern to the codebase, an indeterminate state can cause ambiguities in the code's behaviour that may be unexpected by its callers.

Example:

contracts/MerkleDistributorWithDeadline.sol
22function claim(uint256 index, address account, uint256 amount, bytes32[] calldata merkleProof) public override {
23 if (block.timestamp > endTime) revert ClaimWindowFinished();
24 super.claim(index, account, amount, merkleProof);
25}
26
27function withdraw() external onlyOwner {
28 if (block.timestamp < endTime) revert NoWithdrawDuringClaim();
29 IERC20(token).safeTransfer(msg.sender, IERC20(token).balanceOf(address(this)));
30}

Recommendation:

We advise either of the two functions to perform the block.timestamp comparison inclusively, ensuring that the contract has no indeterminate states.

Alleviation:

The ambiguous contract state was alleviated by rendering the claim function's endTime conditional inclusive, signalling that claims are possible up-to but not at the value of endTime.