Unrestricted Access to Snowman::mintSnowman() Enables Infinite NFT Minting and Bypasses Protocol Rules.
[H-3] Unrestricted Access to Snowman::mintSnowman() Enables Infinite NFT Minting and Bypasses Protocol Rules.
Description: The Snowman contract implements the Snowman::mintSnowman() function that allows any external caller to mint an arbitrary number of NFTs to any address, without restrictions:
There are no access controls, no token gating, and no maximum mint cap. This undermines the protocol’s intended design, where NFTs are supposed to be earned through staking Snow tokens or claimed via SnowmanAirdrop using a Merkle proof and valid signature.
Impact:
-
Any user can call
Snowman::mintSnowman()directly and mint thousands of NFTs without owning any Snow tokens or passing a Merkle proof. -
This bypasses all staking, signature validation, or Merkle-tree-based restrictions from SnowmanAirdrop.sol.
-
Severe inflation of the NFT supply becomes possible, ruining scarcity and trust in the system.
-
NFT marketplaces and indexers may be spammed with illegitimate tokens.
-
Potential economic exploitation if NFTs have value, utility, or claimable rewards.
Proof of Concept: Add this into your TestSnowman.t.sol:
Recommended Mitigation: Restrict mintSnowman() to only authorized contract SnowmanAirdrop.
i_airdrop would be a state variable in the Snowman.sol contract, and it should store the address of the trusted SnowmanAirdrop contract — the only contract allowed to call Snowman::mintSnowman().
Lead Judging Commences
Unrestricted NFT mint function
The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.