Preliminary audit reports (#626)

* Preliminary audit reports * rename * correct contract name
thirdweb-dev · Mar 11, 2024 · c22fcfd · c22fcfd
1 parent 90ca7b4
commit c22fcfd
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/audit-reports/preliminary-audits/airdroperc20-claimable.md b/audit-reports/preliminary-audits/airdroperc20-claimable.md
@@ -0,0 +1,11 @@
+This document contains details on fixes / response to the preliminary audit reports added to this repository.
+
+## [AirdropERC20Claimable](./airdroperc20-claimable.pdf)
+
+### 01: Governance: TrustedForwarder can execute claims on behalf of other addresses
+
+- The contract doesn't add a trusted-forwarder address by default. The deployer of AirdropERC20Claimable can specify which forwarder they want to use (if any), or leave as address zero.
+
+### 02: Malicious users can steal the entire balance of the contract
+
+- This refers to the possibility of a sybil attack on open/public claims, where multiple wallets can be created to claim the quantity specified by `openClaimLimitPerWallet`. To prevent this scenario or any kind of public claiming, deployer can set `openClaimLimitPerWallet` to zero when setting claim conditions during deployment.
diff --git a/audit-reports/preliminary-audits/airdroperc20-claimable.pdf b/audit-reports/preliminary-audits/airdroperc20-claimable.pdf