Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

NFT can be minted by simple call of mintSnowman without restrictions

soldev

Root + Impact

Description

mintSnowman in Snowman.sol is not restricted to be called by Snowmanairdrop only.
Any client can call mintSnowman and pass any receiver and can get any amount of NFT for free.

function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood:

It can be used after snowman.sol will be deployed.

Impact:

NFT value can be impacted due to unlimited minting of token
Anyone can mint any amount of NFT for free

Proof of Concept

The mintSnowman(address receiver, uint256 amount) function is intended to be called only by the SnowmanAirdrop contract. However, without access control, any external account or contract can call this function and mint tokens arbitrarily.

contract Attacker {

address public snowmanToken;

constructor(address _snowmanToken) {

snowmanToken = _snowmanToken;

}

function exploit(address to, uint256 amount) external {

// Anyone can call mintSnowman and mint tokens to any address

(bool success, ) = snowmanToken.call(

abi.encodeWithSignature("mintSnowman(address,uint256)", to, amount)

);

require(success, "Exploit failed");

}

Recommended Mitigation

It must be restricted to be called only from SnowmanAirdrop smart contract by modifier.

+ modifier onlySnowmanAirdropCanCall() {

+ require(msg.sender == _snowmanairdrop);

+ address private _snowmanairdrop;

+ function setSnowmanAirdrop(address snowmanAirdropAddress) external onlyOwner {

+ _snowmanairdrop = snowmanAirdropAddress

+ }

- function mintSnowman(address receiver, uint256 amount) external {

+ function mintSnowman(address receiver, uint256 amount) external onlySnowmanAirdropCanCall {

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.