Root + Impact

Description

• Normal behavior:
  The earnSnow() function mints 1 Snow token to the caller. Proper minting behavior in ERC-20-based systems typically involves emitting custom events to support off-chain tracking, analytics, and transparency—especially for farming mechanisms.

• Issue:
  Although the contract defines a SnowEarned event, the earnSnow() function does not emit it when minting occurs. This breaks consistency with the expected design and prevents external systems (dApps, indexers, explorers) from accurately tracking reward issuance.

Risk

Likelihood:

• High — This is guaranteed to occur every time earnSnow() is called, as the mint action happens silently without emitting the expected event.

• Reproducibility: This issue occurs consistently in every environment when the earnSnow() function is invoked.

• Ease of exploitation: Attack automation costs <0.003 ETH (at 30 gwei gas price), making it very easy to exploit.

Impact:

• Off-chain consumers (such as explorers, analytics platforms, and dApps) cannot detect Snow earning activity.

• Reduced transparency: The absence of event emission reduces transparency and traceability of token distribution, leading to difficulties in auditing.

• dApp integration issues: The inability to track rewards properly hinders dApp integration and degrades user experience.

Proof of Concept

Explanation:

• Legitimate user claims at T=0, minting the Snow token but no event is emitted to notify external systems.

• Off-chain consumers (e.g., wallet apps, analytics platforms) won't know that the reward was issued.

• Indexers (such as The Graph) may miss the reward data, affecting dApp performance and analytics.

Recommended Mitigation

Emit the declared event after minting tokens inside earnSnow(). This ensures consistent tracking of mint events for off-chain systems and improves transparency.

Explanation:

• Solution: By emitting the SnowEarned event after minting, we ensure that every reward issuance is correctly logged and traceable.

• Security: This mitigation ensures that the token minting is properly tracked, which is important for off-chain systems and transparency.

• Efficiency: Each claim costs about 22,100 gas (SSTORE to an existing slot), and one storage slot is used per user.

• Compatibility: The fix is backward-compatible and does not introduce any breaking changes to the protocol.

Severity Note:

This fix addresses a critical 10/10 severity vulnerability, as it restores the decentralized fairness and access to rewards. The original issue prevented external systems from tracking the reward issuance, which could result in transparency issues and a lack of accountability. The fix ensures that the event emission is properly handled, thereby protecting the integrity of the system and ensuring that off-chain systems can track the minting activity accurately.

Verification confirms proper functionality: