Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect EIP-712 TypeHash Prevents Signature Verification in SnowmanClaim

codeaudit0x1

Root + Impact

Description

The MESSAGE_TYPEHASH is expected to represent the hash of a properly defined EIP-712 type string, which is critical for verifying off-chain signed messages using ecrecover.
The type string contains a typo (addres instead of address), which results in a hash that is different from the correct structure. As a result, signatures generated off-chain using the correct struct definition will fail to verify on-chain, breaking any functionality that relies on this message type hash.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); // keccak256 hash of the SnowmanClaim struct's type signature, used for EIP-712 compliant message signing

Risk

Likelihood:

This will occur whenever a user attempts to validate or use an EIP-712 signature for the SnowmanClaim struct.
Any signed message generated off-chain using the correct address Type will mismatch the on-chain hash.

Impact:

Signature validation will consistently fail, rendering the claim or signature-based access functions inoperable.
The trust model relying on signed messages for secure, gas-efficient off-chain authorization becomes unusable.

Recommended Mitigation

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

Updates

Lead Judging Commences

yeahchibyke Lead Judge 19 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Inconsistent MESSAGE_TYPEHASH with standard EIP-712 declaration

A typo in the `MESSAGE_TYPEHASH` variable of the `SnowmanAirdrop` contract will prevent signature verification claims. Used `addres` instead of `address`

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.