Submission Details
Severity:
mispelling
Root + Impact
Description
Normally, the EIP-712 typed data signature must use the correct struct type string to produce a valid digest.
The contract has a typo in the struct definition string,
"addres"instead of"address", causing all signatures to be invalid.
bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
Risk
Likelihood:
-
Signature verification will always fail unless the typo is fixed or signatures are created using the incorrect string.
-
-
This blocks all valid claims since signature validation is mandatory.
Impact:
-
Legitimate users cannot claim their Snowman NFTs.
-
-
Airdrop becomes effectively unusable.
Proof of Concept
// Signature generated with correct "address" type will fail verification because
// the contract expects "addres" in the typed data hash.
bool valid = _isValidSignature(user, correctDigest, v, r, s); // returns false
Recommended Mitigation
- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");
Updates
Lead Judging Commences
yeahchibyke 3 months ago
Submission Judgement Published Assigned finding tags:
Inconsistent MESSAGE_TYPEHASH with standard EIP-712 declaration
A typo in the `MESSAGE_TYPEHASH` variable of the `SnowmanAirdrop` contract will prevent signature verification claims. Used `addres` instead of `address`
Rewards breakdown
nSLOC
215This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.