Slow Fog: The eligibility for the Connext airdrop is verified through a Merkle proof, and users who are not eligible cannot bypass the verification to claim someone else's airdrop
ChainCatcher message, according to SlowMist intelligence, some accounts' NEXT tokens have been claimed to unintended addresses. The SlowMist security team followed up with an analysis and shared a brief summary as follows:
Users can claim NEXT tokens through the claimBySignature function of the NEXT Distributor contract. There are two roles involved: the recipient role, which is used to receive the claimed NEXT tokens, and the beneficiary role, which is the address eligible to receive NEXT tokens, determined when the Connext protocol announced the airdrop eligibility.
When a user claims NEXT tokens, the contract performs two checks: first, it checks the signature of the beneficiary role; second, it checks whether the beneficiary role is eligible to receive the airdrop. During the first check, it verifies whether the recipient provided by the user is signed by the beneficiary role, so arbitrarily providing a recipient address without the beneficiary's signature cannot pass the check.
If a beneficiary address is specified to construct a signature, it may pass the signature check, but it will not pass the second check for airdrop eligibility. The airdrop eligibility check is performed through a Merkle proof, which should be generated by the official Connext protocol. Therefore, users who are not eligible to receive the airdrop cannot bypass the check to claim someone else's airdrop.