Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Lack of Gas-Safety check in mintSnowman() ay Lead to Denial of Service

khandelwalmoksh787

Root + Impact- The `mintSnowman()` function allows minting of arbitrary amounts of NFTs in a single transaction without enforcing a maximum limit. In extreme cases, this could lead to out-of-gas failures and denial-of-service (DoS) for large claims, especially in loops.

Description

Normally, mintSnowman() accepts a receiver and a uint256 amount, then mints that many NFTs in a loop to the recipient.
However, without any restriction or gas-efficiency cap on amount, users can pass very large values. This could cause transactions to fail due to gas limits, effectively preventing valid NFT claims if used carelessly or maliciously.

function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

@> _safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood:

Reason 1: This will occur when a user or attacker submits a claimSnowman() with a very high amount value.
Reason 2: The gas cost per NFT scales linearly. A higher claim size leads to a higher risk of out-of-gas errors, especially on chains with lower block gas limits.

Impact:

Impact 1: DoS — genuine users might fail to claim NFTs because their transactions always revert due to excessive loop gas usage.
Impact 2: Potential griefing vector or chain bloat if miners intentionally include huge mint loops.

Proof of Concept- The normal behavior of `claimSnowman()` is to mint one Snowman NFT for every 10 Snow tokens by looping `amount / 10` times. However, if a user has a large number of tokens (e.g., 100,000), the loop inside `mintSnowman()` will execute 10,000 times, which can exceed the block gas limit. This causes the transaction to revert, effectively preventing high-volume users from claiming their NFTs and resulting in a denial of service for legitimate claims.

// Let's say someone earned or bought 100,000 Snow tokens and wants to claim their NFTs.

claimSnowman(

msg.sender,

validMerkleProof,

v, r, s

);

// If amount = 100000, the loop in mintSnowman() will likely run out of gas and revert.

Recommended Mitigation- To avoid out-of-gas errors and potential DoS in `mintSnowman()`, enforce a hard cap on how many NFTs can be minted in a single transaction. This ensures even large claimers can redeem in batches, without exhausting gas or blocking future claims.

Set a maximum allowed amount (e.g., 100), and revert if the input exceeds this.

Define the custom error for clarity and gas effeciency: error SM__MintTooLarge();

+ error SM__MintTooLarge();

- function mintSnowman(address receiver, uint256 amount) external {

+ function mintSnowman(address receiver, uint256 amount) external {

+ if (amount > 100) revert SM__MintTooLarge();

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.