Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

whitehacker

Root + Impact

Root: The claimSnowman function updates s_hasClaimedSnowman[receiver] = true but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens.

Impact: Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users.

Description

  • Normal Behavior: Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system.

  • Specific Issue: The function sets the claim status to true after processing but never validates if s_hasClaimedSnowman[receiver] is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs.

Risk

Likelihood: Medium

  • Users need to acquire additional Snow tokens between claims, which requires time and effort

  • Users must maintain their merkle proof validity across multiple claims

  • Attack requires understanding of the missing validation check

Impact: High

  • Airdrop Abuse: Users can claim far more NFTs than intended by the distribution mechanism

  • Unfair Distribution: Some users receive multiple rewards while others may receive none

  • Economic Manipulation: Breaks the intended scarcity and distribution model of the NFT collection

Proof of Concept

Add the following test to TestSnowMan.t.sol

function testMultipleClaimsAllowed() public {
// Alice claims her first NFT
vm.prank(alice);
snow.approve(address(airdrop), 1);
bytes32 aliceDigest = airdrop.getMessageHash(alice);
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest);
vm.prank(alice);
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
assert(nft.balanceOf(alice) == 1);
assert(airdrop.getClaimStatus(alice) == true);
// Alice acquires more Snow tokens (wait for timer and earn again)
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
snow.earnSnow();
// Alice can claim AGAIN with new Snow tokens!
vm.prank(alice);
snow.approve(address(airdrop), 1);
bytes32 aliceDigest2 = airdrop.getMessageHash(alice);
(uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2);
vm.prank(alice);
airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds!
assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs
}

Recommended Mitigation

Add a claim status check at the beginning of the function to prevent users from claiming multiple times.

// Add new error
+ error SA__AlreadyClaimed();
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
+ if (s_hasClaimedSnowman[receiver]) {
+ revert SA__AlreadyClaimed();
+ }
+
if (receiver == address(0)) {
revert SA__ZeroAddress();
}
// Rest of function logic...
s_hasClaimedSnowman[receiver] = true;
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of claim check

The claim function of the Snowman Airdrop contract doesn't check that a recipient has already claimed a Snowman. This poses no significant risk as is as farming period must have been long concluded before snapshot, creation of merkle script, and finally claiming.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.