Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[H-5] Merkle root uses address and its balance to check for eligibility, users can become eligible after token transfers

soarinskysagar

[H-5] Merkle root uses address and its balance to check for eligibility, users can become eligible after token transfers

Description

Eligibility is checked by calculating the merkle root. The original merkle root has its leafs created from address and its balances
If someone transfers tokens to or from some other address, they will become ineligible for the airdrop

uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

Risk

Likelihood:

Whenever tokens are tranferred out/in

Impact:

User becomes ineligible for airdrop and can't claim NFT

Proof of Concept

Add the following test case to the test suite of SnowmanAirdrop
Here, Bob malaciously tranferred out his tokens to Alice, thus increasing her Snow balance, which makes her ineligible for airdrop and claimSnowman fails.

function test_becomeIneligible() public {

assert(nft.balanceOf(alice) == 0);

vm.prank(alice);

snow.approve(address(airdrop), 2);

bytes32 alDigest = airdrop.getMessageHash(alice);

(uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest);

vm.prank(bob);

snow.transfer(alice, 1);

vm.startPrank(satoshi);

vm.expectRevert();

airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS);

}

Recommended Mitigation

Only address should be used to check for eligibility

Updates

Lead Judging Commences

yeahchibyke Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Invalid merkle-proof as a result of snow balance change before claim action

Claims use snow balance of receiver to compute the merkle leaf, making proofs invalid if the user’s balance changes (e.g., via transfers). Attackers can manipulate balances or frontrun claims to match eligible amounts, disrupting the airdrop.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.