Merkle Airdrop: Definition, Smart Contract Example & Audit Notes

Merkle Airdrop

A Merkle airdrop is a token distribution where eligible claims are compressed into a Merkle root and users prove inclusion with Merkle proofs.

A Merkle airdrop lets many users claim tokens without storing every user on-chain.

Merkle Airdrop Explained in Detail

A Merkle airdrop stores one Merkle root on-chain instead of storing every eligible user. Each user submits a claim and a Merkle proof showing their data is included in the tree.

The leaf usually includes the recipient, amount, and sometimes an index or drop ID.

Smart contract example

bytes32 leaf = keccak256(abi.encode(index, account, amount));

The exact leaf format must match the off-chain tree generation.

Merkle Airdrop in Auditing

Merkle airdrop bugs can allow double claims, wrong-recipient claims, wrong amounts, or invalid proof acceptance.

Auditors review leaf encoding, proof verification, root updates, and claim tracking.

Red flags in code

The leaf omits recipient or amount.
Claims are not marked as used.
abi.encodePacked creates collision risk with variable-length fields.
Root can be changed without controls.
Duplicate leaves or indexes behave unexpectedly.

How to test or review it

Claim the same leaf twice and expect failure.
Try claiming another user's amount.
Mutate index, account, amount, and proof order.
Test root updates and old proof behavior.
Verify off-chain tree generation matches on-chain leaf encoding.

Sources

https://docs.openzeppelin.com/contracts/api/utils#MerkleProof