Root + Impact

Root: The mintSnowman function accepts a receiver parameter without validating that it's not the zero address, allowing NFTs to be minted to address(0).

Impact: NFTs minted to the zero address are effectively burned and permanently lost, wasting gas and potentially causing loss of intended airdrop rewards for legitimate users.

Description

• Normal Behavior: NFT minting functions should validate that the recipient address is valid and not the zero address to prevent accidental token burning.

• Specific Issue: Calling mintSnowman(address(0), amount) will successfully mint NFTs to the zero address, making them unrecoverable and reducing the total supply without any benefit.

Risk

Likelihood: Medium

• Integration errors or frontend bugs could accidentally pass zero address as receiver

• Malicious actors could intentionally burn NFTs by minting to zero address

• No validation exists to prevent this wasteful operation

Impact: Low

• Token Loss: NFTs minted to zero address are permanently lost and unrecoverable

• Gas Waste: Unnecessary gas consumption for operations that provide no value

• Supply Confusion: Reduces effective NFT supply without clear tracking of burned tokens

Recommended Mitigation

Add a zero address validation check in the mintsnowman function to validate address.