Description

The updateTokenShares function is intended to be called by the contract owner to update the Merkle root representing users' percentage claims to a token, list tokens available for claim, and claimable amounts. However, due to a mistake, this function tries to transfer tokens from the contract to the owner, instead of allowing the owner to send tokens to the contract for users to claim.

function updateTokenShares(bytes32 merkleRoot, address[] calldata tokens, uint256[] calldata amounts)
    external
    onlyOwner
{
    if (merkleRoot.length == 0 || tokens.length == 0 || tokens.length != amounts.length) revert InvalidInput();

    uint256 length = tokens.length;
    uint256 i;
    while (i < length) {
        IERC20(tokens[i]).safeTransfer(msg.sender, amounts[i]);

        unchecked { i++; }
    }

    _setTokenShares(merkleRoot, tokens, amounts);
}

Impact

This functionality does not work because, as a result of an error, the owner cannot send tokens to the contract so that users can withdraw them later.

Recommendations

Modify the updateTokenShares function to transfer tokens from msg.sender to the contract address as shown below:

function updateTokenShares(bytes32 merkleRoot, address[] calldata tokens, uint256[] calldata amounts)
        external
        onlyOwner
    {
        ...
            IERC20(tokens[i]).safeTransferFrom(msg.sender, address(this), amounts[i]);
        ...

Remediation

This issue has been acknowledged by SAX, and a fix was implemented in commit b5651803↗.