Submission Details
Severity:
Lack of access control in mintSnowman() can lead to anyone minting Snowman instead of only eligible users
Lack of access control in mintSnowman() can lead to anyone minting Snowman instead of only eligible users which is unfair to users who claim or buy snow for the purpose of minting Snowman
Description
The mintSnowman() function is marked external which means that anyone can call the function and there is no internal check within the function to check who is eligible for the Snowman and who isnt.
//@audit anyone can call this function why?
function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
Risk
Users can call mintSnowman() directly to get snowman without claiming or staking snow.
Recommended Mitigation
Access control checks should be added to the function to support the logic where only users who claim Snow or Buy and Stake Snow can mint Snowman.
Updates
Lead Judging Commences
yeahchibyke 3 months ago
Submission Judgement Published Assigned finding tags:
Unrestricted NFT mint function
The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.
Rewards breakdown
nSLOC
215This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.