Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Event Emission Before Transfer in SnowmanAirdrop.sol

shieldrey

Root + Impact

Description

  • Normal Behavior: The SnowmanClaimedSuccessfully event should be emitted after successfully minting NFTs, ensuring accurate indexing.

  • Specific Issue: The event is emitted before calling mintSnowman, violating Checks-Effects-Interactions. If mintSnowman reverts, the event misleads indexers, logging a successful claim without NFT minting.

// Root cause in the codebase with @> marks to highlight the relevant section
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
emit SnowmanClaimedSuccessfully(receiver, amount);// @> Emitted too early
i_snowman.mintSnowman(receiver, amount);// @> May revert
}

Risk

Likelihood:

  • Occurs if mintSnowman reverts, possible due to gas limits or future Snowman.sol changes.

  • Common in contracts with external calls, especially during high network congestion.

Impact:

  • Misleads indexers, causing incorrect claim tracking and user confusion.

  • Affects dApps relying on event logs, potentially leading to inconsistent states.

Proof of Concept

SnowmanAirdrop airdrop = SnowmanAirdrop(airdropAddress);
airdrop.claimSnowman(user, merkleProof, v, r, s);// Emits event, mint may fail

Recommended Mitigation

- emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);
+ emit SnowmanClaimedSuccessfully(receiver, amount);
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.