Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing claimed check in airdrop

hyperion

Root + Impact

Description

  • Users should only be able to claim their airdrop once

  • The current implementation fails to check whether the recipient has already claimed their airdrop

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
if (receiver == address(0)) {
revert SA__ZeroAddress();
}
if (i_snow.balanceOf(receiver) == 0) {
revert SA__ZeroAmount();
}
if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {
revert SA__InvalidSignature();
}
//missing check here
...

Risk

Likelihood:

  • Any user user with a valid merkle proof can repeatedly claim their airdrop resulting

Impact:

  • More NFTs being owned than should be allowed

Proof of Concept

Repeatedly call the claimSnowman function

Recommended Mitigation

Add this check in claimSnowman function

+if (s_hasClaimedSnowman[receiver]) {
+ revert SA__AlreadyClaimedf();
+ }
Updates

Lead Judging Commences

yeahchibyke Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of claim check

The claim function of the Snowman Airdrop contract doesn't check that a recipient has already claimed a Snowman. This poses no significant risk as is as farming period must have been long concluded before snapshot, creation of merkle script, and finally claiming.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.