Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Users can claim NFT multiple time

0xchaddb

Users can potentially claim multiple times due to missing duplicate claim validation in SnowmanAirdrop::claimSnowman

Description: The contract sets s_hasClaimedSnowman[receiver] = true but never checks this value before allowing claims, making the duplicate claim protection mapping pointless and potentially allowing users to claim multiple times.

function claimSnowman(/*...*/) external nonReentrant {
// ... validation ...
s_hasClaimedSnowman[receiver] = true; // Set but never checked
// ...
}

Impact: Potential double spending if duplicate claims are possible.

Recommended Mitigation: Add duplicate claim check before processing:

error SA__AlreadyClaimed();
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external nonReentrant {
if (receiver == address(0)) revert SA__ZeroAddress();
if (s_hasClaimedSnowman[receiver]) revert SA__AlreadyClaimed(); // ✅ Check before processing
if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();
// ... rest of validation and processing ...
s_hasClaimedSnowman[receiver] = true;
emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of claim check

The claim function of the Snowman Airdrop contract doesn't check that a recipient has already claimed a Snowman. This poses no significant risk as is as farming period must have been long concluded before snapshot, creation of merkle script, and finally claiming.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.