No access control for 'mintSnowman' function
Description: Snowman::mintSnowman() has no access control mechanisms, allowing any address to call it and mint unlimited NFTs to any recipient. According to the protocol design, only the SnowmanAirdrop contract should be able to mint Snowman NFTs after proper verification of eligibility.
Impact: This vulnerability completely bypasses all the carefully designed verification systems in the SnowmanAirdrop contract, including Merkle proof verification and signature validation. An attacker could mint an unlimited number of Snowman NFTs without staking any Snow tokens, which would inflate the supply and devalue legitimate users' NFTs. Additionally, it breaks the core economic model of the protocol where users must stake Snow tokens to receive Snowman NFTs.
Recommended Mitigation: Introduce an 'onlyAirdrop' modifier tied to the SnowmanAirdrop contract or:
Lead Judging Commences
Unrestricted NFT mint function
The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.