Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Typo in MESSAGE_TYPEHASH (addres) makes all Signature Verifications Fail

faran

Typo in MESSAGE_TYPEHASH (addres) makes all Signature Verifications Fail

Description

  • The MESSAGE_TYPEHASH used for EIP712 encoding defines the struct as "SnowmanClaim(addres receiver, uint256 amount)".

  • This is a typo: "addres" is not a valid type, and this hash will never match any signed messages, resulting in all signature verifications failing.

// @> Typo: 'addres' instead of 'address'
bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Risk

Likelihood:

  • Always occurs — signature verification will fail 100% of the time.

Impact:

  • No user will ever be able to claim their Snowman NFT using EIP712 signatures.

  • Complete failure of signature-based verification.

Proof of Concept

The following solidity example proves that all attempts to verify EIP712 messages will fail with this bug.

// All attempts to verify valid EIP712 messages will fail
bool valid = _isValidSignature(receiver, digest, v, r, s); // always returns false

Recommended Mitigation

Fix the typo in the MESSAGE_TYPEHASH:

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");
Updates

Lead Judging Commences

yeahchibyke Lead Judge 17 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Inconsistent MESSAGE_TYPEHASH with standard EIP-712 declaration

A typo in the `MESSAGE_TYPEHASH` variable of the `SnowmanAirdrop` contract will prevent signature verification claims. Used `addres` instead of `address`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.