Snowman Merkle Airdrop

First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Impact: low
Likelihood: low
Invalid

Incorrect Event Parameter Usage

Root + Impact

Description

Normal Behaviour:

Events in Solidity are used to track and log important state changes. In NFT contracts, minting events typically record:

  1. Who received the token (receiver address)

  2. Which token was minted (token ID)

  3. How many tokens were minted in a batch operation (amount)Explain the specific issue or problem in one or more sentences

Specific Issue:

  1. The event parameter is named numberOfSnowman but actually contains the token ID

  2. For a batch mint of 3 tokens starting at ID 5, it will emit

  3. This creates confusion because:

  • The parameter name suggests it's a quantity

  • The value is actually a token ID

  • There's no way to easily track batch mints

Impact:

  1. Indexing Services:

  • Services like The Graph will index misleading data

  • Queries for "number of tokens minted" will return incorrect results

  • Historical tracking of mint batches becomes difficult

// >>> EVENTS
@> event SnowmanMinted(address indexed receiver, uint256 indexed numberOfSnowman); @>
// Parameter named 'numberOfSnowman' implies quantity but will receive tokenId
function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
@> emit SnowmanMinted(receiver, s_TokenCounter); @>
// Event emits s_TokenCounter (tokenId) into parameter named 'numberOfSnowman'
s_TokenCounter++;
}
}

Risk

Likelihood: Low

  • Reason 1: The event emission occurs on every single mint operation, making the misleading data consistently present in all minting transactions. Every time a user or contract calls mintSnowman(), the event will emit token IDs under a parameter named numberOfSnowman.

Impact:

  • Impact 1: Indexing services and analytics platforms will record incorrect minting statistics

  • The Graph and similar indexers will store token IDs as quantities

  • Total supply calculations based on event data will be inaccurate

  • Historical mint batch tracking becomes unreliable

Proof of Concept

// Test Contract
contract SnowmanTest {
Snowman snowman;
function setUp() public {
snowman = new Snowman("test-uri");
}
function testMintBatchMisleadingEvents() public {
// Scenario 1: Single Mint
snowman.mintSnowman(address(this), 1);
// Emits: SnowmanMinted(address(this), 0)
// Event suggests 0 snowmen were minted, but actually means tokenId 0
// Scenario 2: Batch Mint of 3 tokens
snowman.mintSnowman(address(this), 3);
// Emits three events:
// SnowmanMinted(address(this), 1) // Looks like 1 snowman
// SnowmanMinted(address(this), 2) // Looks like 2 snowmen
// SnowmanMinted(address(this), 3) // Looks like 3 snowmen
// But these are actually token IDs 1, 2, and 3
}
}

Recommended Mitigation

- event SnowmanMinted(address indexed receiver, uint256 indexed numberOfSnowman);
+ event SnowmanMinted(address indexed receiver, uint256 indexed tokenId, uint256 batchSize);
function mintSnowman(address receiver, uint256 amount) external {
+ uint256 startTokenId = s_TokenCounter;
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
- emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
+ emit SnowmanMinted(receiver, startTokenId, amount);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 12 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.