Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

CEI Pattern Violation in earnSnow Function

teoslaf

Description

  • The Snow token contract allows users to earn one free token per week, with a timer mechanism to enforce this limit.

  • The earnSnow function violates the Checks-Effects-Interactions (CEI) pattern by updating the state variable s_earnTimer after making an external call to _mint. This creates a potential reentrancy vulnerability if the contract is modified to use a token standard with hooks.

function earnSnow() external canFarmSnow {
if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
@> _mint(msg.sender, 1);
@> s_earnTimer = block.timestamp;
}

Risk

Likelihood:

  • The vulnerability is not exploitable in the current implementation as the standard ERC20 _mint function does not have hooks that enable reentrancy.

  • The vulnerability would only become exploitable if the contract is modified to use a token standard with hooks (like ERC777) or custom callbacks are added.

Impact:

  • If exploitable, an attacker could mint multiple tokens when they should only be allowed one per week.

  • This would dilute the token supply and violate the intended tokenomics of the protocol.

Recommended Mitigation

function earnSnow() external canFarmSnow {
if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
+ s_earnTimer = block.timestamp;
_mint(msg.sender, 1);
- s_earnTimer = block.timestamp;
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.