Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Time reset for both function together

kmrnxd

Root + Impact

The bug occurs because the buySnow() function resets the s_earnTimer to the current block.timestamp every time someone purchases snow tokens.

Unfair token distribution.

Description

  • One should be able to earnSnow after 1 week + s_earnTimer in earnSnow() function

  • Each time someone buy a snow , it reset the s_earnTimer for each user.


function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
@> s_earnTimer = block.timestamp;
emit SnowBought(msg.sender, amount);
}
function earnSnow() external canFarmSnow {
if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
_mint(msg.sender, 1);
@> s_earnTimer = block.timestamp;
}

Risk Medium

Likelihood: High

Impact:

Anyone who buys earnSnow reset the s_earnTimer to block.timestamp.

  • It will stop other user to earn weekly snow in earnSnow() function as it requires block.timestamp < (s_earnTimer + 1 weeks))

Proof of Concept

User A claim earnSnow() , which set s_earnTimer = t.

User B buy snow at t+2 days which again reset s_earnTimer = t+2.

User A try to earnSnow() after t+1 week and it failed because t+1 week < (t+2)+1 week.

Recommended Mitigation

- s_earnTimer = block.timestamp;
+
Updates

Lead Judging Commences

yeahchibyke Lead Judge 12 days ago
Submission Judgement Published
Validated
Assigned finding tags:

buying of snow resets global timer thus affecting earning of free snow

When buySnow is successfully called, the global timer is reset. This inadvertently affects the earning of snow as that particular action also depends on the global timer.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.