Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Incorrect Token Minting

0xdaxun

Root + Impact

Token minting functions issue fractional tokens instead of whole units.

Description

  • Normal Behavior: Purchasing/earning should mint whole tokens

  • Issue: Minting uses raw numbers without decimal conversion

// Snow.sol
function buySnow(uint256 amount) external payable {
@>_mint(msg.sender, amount); // Mints base units
}
function earnSnow() external {
@>_mint(msg.sender, 1); // Mints 1 wei
}

Risk

Likelihood:

  • Affects 100% of token minting transactions

  • Protocol-wide economic miscalculation

Impact:

  • Purchasers receive worthless fractional tokens

  • Earn function provides negligible value

  • Protocol tokenomics rendered nonfunctional

Proof of Concept

// Shows incorrect token amounts
function testTokenDecimals() public {
uint256 purchaseAmount = 100;
hoax(user);
snow.buySnow(purchaseAmount);
// User receives 100 wei (0.0000000000000001 tokens)
assertEq(snow.balanceOf(user), purchaseAmount);
}

Explanation: Minting 100 units creates 100 wei tokens (10^-16 tokens) instead of 100 full tokens.

Recommended Mitigation

function buySnow(uint256 tokenAmount) external payable {
+ uint256 amount = tokenAmount * 10**decimals();
_mint(msg.sender, amount);
}
function earnSnow() external {
+ _mint(msg.sender, 1 * 10**decimals());
}

Explanation: Converts token amounts to wei using ERC20's decimals.

Updates

Lead Judging Commences

yeahchibyke Lead Judge
3 months ago
yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.