Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`Snowman::minSnowMan` Any user without snow tokens can mint

jfornells

Snowman::minSnowMan` Any user without snow tokens can mint.

Description

The mintSnowman function should only allow minting Snowman NFTs through the SnowmanAirdrop contract, based on the user's Snow token balance.
Currently, the function is external and does not apply any access restriction or balance check, allowing any address to mint an arbitrary amount of NFTs without limit.

function mintSnowman(address receiver, uint256 amount) external {

@> for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk:

Likelihood: High

Any user can interact directly with the mintSnowman function without any balance verification, nor is it protected by permissions or access control. This allows unlimited NFT creation.

Impact: High

The Snowman NFT collection completely loses its scarcity, as anyone can mint unlimited amounts.
Logics that depend on legitimate ownership of these NFTs (e.g., access, staking, airdrops) are broken.

Proof of Concept

A new user is created and it is verified that they have no Snow tokens.
The user executes mintSnowman() to mint 1000 NFTs.
It is verified that the user correctly receives the 1000 NFTs despite having no Snow tokens.

function test_MintSnowman() public {

address user = makeAddr("user");

uint256 userBalance = snow.balanceOf(user);

assertEq(userBalance, 0);

vm.startPrank(user);

uint256 amount = 1000;

nft.mintSnowman(user, amount);

uint256 userBalanceAfter = nft.balanceOf(user);

assertEq(userBalanceAfter, amount);

}

[PASS] test_MintSnowman() (gas: 33188206)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 199.93ms (118.11ms CPU time)

Recommended Mitigation

To ensure that only the authorized SnowmanAirdrop contract can mint Snowman NFTs, we recommend restricting access to the mintSnowman() function. This adds a permission check and prevents misuse of the minting logic. Below are the suggested changes:

+ error Invalid__Address();

+ error Unauthorized__Caller();

+ address private s_airdrop;

function mintSnowman(address receiver, uint256 amount) external {

+ address airdropAddress = s_airdrop;

+ if (msg.sender != airdropAddress) revert Unauthorized__Caller();

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

+ function setAirdropAddress(address airdrop) external onlyOwner {

+ if (airdrop == address(0)) revert Invalid__Address();

+ s_airdrop = airdrop;

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge 30 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Unrestricted NFT mint function

The mint function of the Snowman contract is unprotected. Hence, anyone can call it and mint NFTs without necessarily partaking in the airdrop.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.