Connext Airdrop Farce: Bug Blunder and Endless Witch Hunt

Author: Qin Xiaofeng, Odaily Planet Daily

After waiting for two weeks, the Layer 2 interoperability protocol Connext finally opened the airdrop claim, but it caused a mix-up.

Just half an hour after the claim opened, crypto KOL "Pig Bang" posted that there might be a vulnerability in the Connext airdrop contract, allowing "scientists" to exploit it to infinitely steal other users' NEXT airdrops, and attached a 0x44Af starting address (click to jump) with frequent claim records.

The news spread widely in the community, and users later analyzed on-chain information, discovering that the address starting with 0x44Af was officially created today and had claimed more than 230 times after the airdrop opened, with all obtained tokens sold for ETH, USDT, and USDC, making a profit of about $39,000.

At this point, the Connext airdrop contract also experienced issues, with some users reporting that they could not successfully claim the airdrop, leading to rumors in the community that the official had closed the airdrop claims due to a vulnerability.

However, the truth is that the Connext airdrop contract does not have a vulnerability.

Crypto KOL "Pig Bang" stated that the Connext airdrop contract is secure, and his initial analysis misled readers. He explained that although the Connext airdrop contract allows the sender and recipient to be different addresses, it requires the original address to authorize the signature for calling.

"First, the claiming method is claimBySignature, and the last parameter is to pass the signature information, and this 'signature' is something the user has to call back using the smart contract or other methods. So we can understand that: _signature is a credential, and the _recipient user can use this credential to obtain tokens from the _beneficiary address." He added that the address starting with 0x44Af should be a studio collecting tokens, rather than a vulnerability in the contract itself.

Smart Contract Information

The Slow Mist security team told Odaily Planet Daily that there is no obvious vulnerability in the Connext airdrop contract that allows others to fraudulently claim the airdrop.

Users can claim NEXT tokens through the NEXT Distributor contract's claimBySignature function, which involves recipient and beneficiary roles: the recipient role is for receiving the claimed NEXT tokens, while the beneficiary role is the address eligible to claim NEXT tokens, which was determined when the Connext protocol announced the airdrop eligibility. When users claim NEXT tokens, the contract performs two checks: first, it checks the signature of the beneficiary role, and second, it checks whether the beneficiary role is eligible to claim the airdrop.

During the first check, it verifies whether the recipient passed in by the user is signed by the beneficiary role, so randomly passing in a recipient address without the beneficiary's signature will not pass the check. Even if a signature is constructed for a specified beneficiary address, it cannot pass the second check for airdrop eligibility. The eligibility check for the airdrop is conducted through a Merkle proof, which should be generated by the Connext protocol's official. Therefore, users who are not eligible to claim the airdrop cannot bypass the checks to claim others' airdrops.

To summarize the above analysis, if user A's address is eligible to claim, it can authorize B to claim. The reason the address starting with 0x44Af could claim so many tokens is that multiple qualified addresses controlled by that entity authorized it, rather than a hacker exploiting a vulnerability.

Interestingly, before the airdrop opened, Connext targeted witch addresses for a "crackdown," inviting the community to help the team filter out witch addresses and offering to reward whistleblowers with 25% of the recovered NEXT. According to official data, a total of 5,725 witch addresses were identified and removed from the eligibility list, recovering 5,932,065 tokens.

However, from tonight's performance, it seems that the anti-witch operation still left a huge number of loopholes, even adding many obstacles to the entire airdrop.

Connext core contributor Arjun Bhuptani stated that the address starting with 0x44Af is a witch bot, which sent a large number of junk requests to the Tokensoft backend, causing its API to crash, which may also be the reason the airdrop claim interface was unusable. (Odaily Note: Preventing others from claiming may be an attempt to obtain a better selling price.)

The good news is that the official has noticed this issue, and the airdrop will reopen. Connext stated: "We have identified the issue affecting the airdrop website, preventing users from claiming. We detected bot activity that overloaded our partner and service provider's server, Tokensoft. They are actively working to resolve this issue to restore normal claims. Everything should be back to normal soon."