Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

H-3 Anyone Can Mint Snowman NFTs Directly, Bypassing Staking Logic

qasimlab118

Root + Impact

Anyone Can Mint Snowman NFTs Directly, Bypassing Staking Logic

Description

The mintSnowman(address receiver, uint256 amount) function in the Snowman contract is marked external and publicly callable by anyone. There is no access control or validation to ensure that:

The caller is the trusted SnowmanAirdrop contract
The receiver is eligible
The minting amount corresponds to actual staking behavior

According to the developer's design, NFTs should only be minted:

Through staking Snow tokens in SnowmanAirdrop
After verifying Merkle proof, signature, and Snow balance

However, because mintSnowman is external and unprotected, anyone can call it directly and mint themselves any number of Snowman NFTs, completely bypassing all eligibility rules.

Risk

Likelihood:

Extremely High — the function is external, public, and requires no checks
Can be discovered and exploited by anyone scanning the contract ABIReason 2

Impact:

Bypasses all staking and claim verification
Allows minting NFTs without owning or staking Snow tokens
Destroys reward integrity and devalues the NFT

Proof of Concept

// Attacker calls directly:

Snowman.mintSnowman(attackerAddress, 100); // No Snow required

// Result:

// 100 Snowman NFTs minted directly to attacker

// No Merkle proof, no staking, no balance check

Recommended Mitigation

Restrict access to Snowman::mintSnowman() so it can only be called by the SnowmanAirdrop contract:

+ address public immutable i_airdrop;

+ constructor(address _airdrop) {

i_airdrop = _airdrop;

}

+ modifier onlyAirdrop() {

require(msg.sender == i_airdrop, "Not authorized");

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 12 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.