Medium Findings

Allocation ID Collision Enables Beneficiary Hijacking

Severity: Medium

Ecosystem: Sui

Protocol: Magna Airlock

Auditor: Zellic

Report: https://github.com/Zellic/publications/blob/master/Magna Airlock - Zellic Audit Report.pdf

Report Date: Nov 2025

Description:

DistributionState is keyed only by allocation_id, not by the unique leaf content. If two merkle leaves share the same allocation_id, they share the same beneficiary. The first withdrawal for a given allocation_id permanently locks the beneficiary address, and subsequent withdrawals with different leaves but the same ID will use that locked beneficiary. If two users have different leaves but both have an allocation_id == 999, whoever withdraws first becomes the beneficiary for both allocations.

Move Vulnerability Database

Medium Findings

Allocation ID Collision Enables Beneficiary Hijacking