Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Access control when minting snow man.

aye__aye

Root + Impact

In the Snowman.sol Anyone can call the function mintSnowman to mint snow man due to the lack of access control in the function.

Description

//@audit access control.
function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood:

  • The likelihood is very high as anyone can mint these nft's.


Impact:

  • Genuine users who staked their tokens to get these nft's will lose their money as one could mint these snow man for free

  • This can alse affect the value of these nft's as one could mint these nft's multiple times making the supply very high causing their demand to become very low.

Proof of Concept

paste this test in the TestSnowman.t.sol and run forge test --mt testAnyoneCanMintNft -vv

function testAnyoneCanMintNft() external {
address user = makeAddr("user");
nft.mintSnowman(user, 1);
assert(nft.balanceOf(user) == 1);
console2.log("nft balance of user:", nft.balanceOf(user));
}

Recommended Mitigation

Add Access control to the function allowing only the airdrop contract SnowmanAirdrop.sol to mint these nft's

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.