Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Claim Status Check allows Repeated NFT Minting

faran
# Missing Claim Status Check allows Repeated NFT Minting
## Description
* Normally, airdrop contracts should prevent users from claiming more than once by enforcing a claim status check.
* The `SnowmanAirdrop` contract sets `s_hasClaimedSnowman[receiver] = true`, but **never checks it before minting**. This means users can repeatedly call `claimSnowman` and mint unlimited NFTs.
```solidity
function claimSnowman(...) external nonReentrant {
...
// @> s_hasClaimedSnowman is set
s_hasClaimedSnowman[receiver] = true;
i_snowman.mintSnowman(receiver, amount);
}
```
## Risk
**Likelihood**:
* Occurs every time a user reuses the same valid Merkle proof and signature without being restricted by a claim status check.
**Impact**:
* Infinite minting of Snowman NFTs.
* Loss of trust and value in the NFT collection due to uncontrolled inflation.
## Proof of Concept
See in the below example that a user can mint infinite NFT's
```solidity
// Repeated calls allow infinite NFT minting
for (uint i = 0; i < 10; i++) {
airdrop.claimSnowman(receiver, proof, v, r, s);
}
```
## Recommended Mitigation
Add a guard clause to prevent re-claiming.
```diff
function claimSnowman(...) external nonReentrant {
+ if (s_hasClaimedSnowman[receiver]) {
+ revert("Already claimed");
+ }
...
s_hasClaimedSnowman[receiver] = true;
...
}
```
Updates

Lead Judging Commences

yeahchibyke Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of claim check

The claim function of the Snowman Airdrop contract doesn't check that a recipient has already claimed a Snowman. This poses no significant risk as is as farming period must have been long concluded before snapshot, creation of merkle script, and finally claiming.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.