Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

nhippolyt

Description:

The Snow::buySnow function contains a critical flaw where it resets a global timer (s_earnTimer) to the current block timestamp on every invocation. This timer controls eligibility for free token claims via Snow::earnSnow(), which requires 1 week to pass since the last timer reset. As a result:

Any token purchase (via buySnow) blocks all free claims for all users for 7 days

Malicious actors can permanently suppress free claims with micro-transactions

Contradicts protocol documentation promising "free weekly claims per user"

Impact:

  • Complete Denial-of-Service: Free claim mechanism becomes unusable

  • Broken Protocol Incentives: Undermines core user acquisition strategy

  • Economic Damage: Eliminates promised free distribution channel

  • Reputation Harm: Users perceive protocol as dishonest

function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
@> s_earnTimer = block.timestamp;
emit SnowBought(msg.sender, amount);
}

Risk

Likelihood:

• Triggered by normal protocol usage (any purchase)
• Requires only one transaction every 7 days to maintain blockage
• Incentivized attack (low-cost disruption)

Impact:

• Permanent suppression of core protocol feature
• Loss of user trust and adoption
• Violates documented tokenomics

Proof of Concept

Attack Scenario: Permanent Free Claim Suppression

  • Attacker calls buySnow(1) with minimum payment

  • s_earnTimer sets to current timestamp (T0)

  • All earnSnow() calls revert for next 7 days

  • On day 6, attacker repeats buySnow(1)

  • New timer reset (T1 = T0+6 days)

  • Free claims blocked until T1+7 days (total 13 days)

  • Repeat step 4 every 6 days → permanent blockage
    Test Case:

// Day 0: Deploy contract
snow = new Snow(...); // s_earnTimer = 0
// UserA claims successfully
snow.earnSnow(); // Success (first claim always allowed)
// Day 1: UserB buys 1 token
snow.buySnow(1); // Resets global timer to day 1
// Day 2: UserA attempts claim
snow.earnSnow(); // Reverts! Requires day 1+7 = day 8
// Day 7: UserC buys 1 token (day 7 < day 1+7)
snow.buySnow(1); // Resets timer to day 7
// Day 8: UserA retries
snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14

Recommended Mitigation

Step 1: Remove Global Timer Reset from buySnow

function buySnow(uint256 amount) external payable canFarmSnow {
// ... existing payment logic ...
- s_earnTimer = block.timestamp;
emit SnowBought(msg.sender, amount);
}

Step 2: Implement Per-User Timer in earnSnow

// Add new state variable
mapping(address => uint256) private s_lastClaimTime;
function earnSnow() external canFarmSnow {
// Check per-user timer instead of global
if (s_lastClaimTime[msg.sender] != 0 &&
block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks
) {
revert S__Timer();
}
_mint(msg.sender, 1);
s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer
emit SnowEarned(msg.sender, 1); // Add missing event
}

Step 3: Initialize First Claim (Constructor)

constructor(...) {
// Initialize with current timestamp to prevent immediate claims
s_lastClaimTime[address(0)] = block.timestamp;
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 20 days ago
Submission Judgement Published
Validated
Assigned finding tags:

buying of snow resets global timer thus affecting earning of free snow

When buySnow is successfully called, the global timer is reset. This inadvertently affects the earning of snow as that particular action also depends on the global timer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.