Root + Impact

Description

• Each user should be able to claim the Snowman NFT only once.\

• However, the contract does not check if a user has already claimed, allowing users to repeatedly claim multiple NFTs as long as they have the tokens and valid addresses

Risk

Likelihood:

• Users with a valid Merkle proof and signature can repeatedly claim the snowmen as long as they hold tokens.\

• The contract allows multiple claims without stopping receivers that have already claimed.

Impact:

• Allows receivers to claim multiple Snowman NFTs.

• Could claim all the snowmen so there isn’t any for anyone else

• Could lead to loss of user trust and unfair distribution.

Proof of Concept

Step 1: Meet Requirements

• Receiver fulfills all necessary conditions to claim a snowman.

• Step 2: Claim Execution

  • The following code runs:

    i_snow.safeTransferFrom(receiver, address(this), amount); s_hasClaimedSnowman[receiver] = true; emit SnowmanClaimedSuccessfully(receiver, amount); i_snowman.mintSnowman(receiver, amount);
    
    

  • The snowman is successfully claimed.

• Step 3: Replay Attack

  • Since there's no check preventing multiple claims:

    • The receiver can call the same function again.

    • They keep receiving snowmen with no limit.

• Impact

  • One user can drain the entire snowman supply.

  • Others are blocked from claiming.

Recommended Mitigation

📌 Key Mitigation Points
✅ Prevents multiple claims by the same user.

🔐 Stops replay attacks by tracking and checking claim history.

⛔ Blocks abuse where users try to drain snowman supply.

💡 Simple, effective fix by leveraging the existing s_hasClaimedSnowman mapping.

🧱 Can be extended with further enhancements (e.g., cooldown timers, claim limits).