Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unrestricted Access to mintSnowman() Allows Arbitrary NFT Minting

gurmeetkalyan

Root + Impact

Description

The mintSnowman() function in Snowman.sol is used to mint Snowman NFTs and is expected to be triggered only through authorized mechanisms such as airdrops or staking rewards.

However, the function lacks access control and is marked public, allowing any address to call it directly and mint arbitrary quantities of NFTs to any wallet. This violates the protocol's NFT distribution logic.

solidity

CopyEdit

@function mintSnowman(address to, uint256 amount) public {

for (uint256 i = 0; i < amount; i++) {

uint256 newTokenId = s_tokenId++;

_mint(to, newTokenId);

}

This enables anyone to bypass the staking and airdrop process, minting unlimited NFTs for themselves or others without any restriction.

Risk

Likelihood:

Any external account can call mintSnowman() with a high amount and mint NFTs freely.

No check is performed to verify caller authorization.
Likely to be discovered by users inspecting the ABI or contract interface.

Impact:

Unauthorized NFT inflation
Breaks the staking/airdrop trust model
Undermines rarity and fairness of NFT supply
Could result in economic damage or loss of user trust

Proof of Concept

// This transaction can be executed by any address:

Snowman.mintSnowman(attackerAddress, 1000);

// 1000 NFTs minted without staking, claim, or reward system

Recommended Mitigation

- remove this code

- function mintSnowman(address to, uint256 amount) public {

+ add this code

+ function mintSnowman(address to, uint256 amount) public onlyAirdrop {

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.