Can't claim last part of airdrop

[code423n4]

Handle

gpersoon

Vulnerability details

Impact

Suppose you are eligible for the last part of your airdrop (or your entire airdrop if you haven't claimed anything yet).
Then you call the function claim() of AirdropDistribution.sol, which has the following statement:
"assert(airdrop[msg.sender].amount - claimable != 0);"
This statement will prevent you from claiming your airdrop because it will stop execution.

Note: with the function claimExact() it is possible to claim the last part.

Proof of Concept

// https://github.com/code-423n4/2021-11-bootfinance/blob/7c457b2b5ba6b2c887dafdf7428fd577e405d652/vesting/contracts/AirdropDistribution.sol#L522-L536

function claim() external nonReentrant {
..
assert(airdrop[msg.sender].amount - claimable != 0);
airdrop[msg.sender].amount -= claimable;

Tools Used

Recommended Mitigation Steps

Remove the assert statement.
Also add the following to validate() , to prevent claiming the airdrop again:
require(validated[msg.sender]== 0, "Already validated.");

[chickenpie347]

Patched it with assert(airdrop[msg.sender].amount - claimable >= 0); the >=0 check is just to ensure the claimant does not end up claiming more than allocated due to any fringe case.

[0xean]

Downgrading to medium risk as an alternative path does exist for claiming the drop. Funds are not lost, but the availability of them is compromised. Per Docs:

2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
3 — High: Assets can be stolen/lost/compromised directly (or indirectly if there is a valid attack path that does not have hand-wavy hypotheticals).