Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control on `Snowman.sol::mintSnowman` function

venkyp2552

[High] Missing Access Control on `Snowman.sol::mintSnowman` function

Description

The mintSnowman function in Snowman.sol lacks any form of access control (e.g., onlyOwner, onlyRole, or a similar modifier). This design allows any external address to call this function and mint an unlimited number of Snowman NFTs to any receiver address, without restriction.

Risk

This vulnerability has severe consequences:

Sybil Attack: Malicious users can exploit this to mint an endless supply of NFTs, effectively flooding the system and devaluing the entire collection.
Token Devaluation: An uncontrolled, unlimited supply inherently diminishes any potential value or scarcity the NFTs are intended to hold.
Denial-of-Service (DoS) Risk: The s_TokenCounter (which represents the total supply) could rapidly increase to extremely high values. This could lead to potential gas issues, overflows, or performance degradation in future operations that rely on iterating over token IDs or that assume a bounded total supply.

Proof of Concept

The existing testMintSnowman function within TestSnowman.t.sol implicitly serves as proof. This test function successfully mints Snowman NFTs without requiring any special permissions, demonstrating the absence of access control.

Recommended Mitigation

Implement a robust access control mechanism, such as an onlyOwner modifier (if the contract should be administered by a single address) or a role-based access control (RBAC) system. This ensures that only authorized entities can control the minting process and prevent abuse.

Proposed Fix in Snowman.sol:

- function mintSnowman(address receiver, uint256 amount) external

+ function mintSnowman(address receiver, uint256 amount) external onlyOwner // Recommended: Restrict to owner

{

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.