Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

I - 1 State Update After External Call – CEI Pattern Not Followed

qasimlab118

Root + Impact

State Update After External Call – CEI Pattern Not Followed

Description

In the buySnow function, the contract performs an external call to a token contract (safeTransferFrom) before updating internal state (s_earnTimer). This violates the Checks-Effects-Interactions (CEI) pattern — a best practice in Solidity development used to prevent reentrancy attacks and ensure consistent contract state during execution.

Risk

Likelihood

  • Low in current implementation, as WETH is a safe and non-callback token.

Impact

  • Internal state (s_earnTimer) is updated after an external call, breaking the CEI pattern.

Proof of Concept

Recommended Mitigation

To maintain best security hygiene and prevent future issues:


  • Always follow the CEI pattern: update state before making external calls.

Refactor the function to move s_earnTimer = block.timestamp; before the external call:

function buySnow(uint256 amount) external payable canFarmSnow {
require(amount > 0, "Zero amount not allowed");
s_earnTimer = block.timestamp; // ✅ state updated before interaction
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
emit SnowBought(msg.sender, amount);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 13 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.