Snowman Merkle Airdrop

First Flight #42

Beginner FriendlyFoundrySolidityNFT

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

missing protection against reentrancy attack

Author Revealed upon completion

🔐 Reentrancy Vulnerability in `Snow.collectFee()`

📋 Description

🔧 Normal Behavior

The collectFee() function allows the s_collector to collect all WETH and ETH held by the contract. It does this by calling the transfer() function on the WETH token and then sending the native ETH via a low-level call.

🐞 Specific Issue

The contract does not protect the collectFee() function against reentrancy attacks. Because it uses a low-level call to send ETH directly to the s_collector, a malicious contract can exploit this by reentering the collectFee() function (or other vulnerable external functions) during the fallback execution, draining ETH or disrupting the logic.

function collectFee() external onlyCollector {

uint256 collection = i_weth.balanceOf(address(this));

i_weth.transfer(s_collector, collection);

@> (bool collected,) = payable(s_collector).call{value: address(this).balance}("");

@> require(collected, "Fee collection failed!!!");

}

🚨 Risk

📈 Likelihood

The s_collector can be a contract, and nothing prevents it from being a malicious one.
As soon as collectFee() is called and ETH is transferred via call, the fallback function of the recipient contract can reenter the collectFee() function or another vulnerable function.

💥 Impact

An attacker can recursively call collectFee() to drain ETH from the contract before the function finishes executing.
It may also interfere with any future logic or upgrade mechanisms that depend on internal state updates happening after the ETH transfer.

🧪 Proof of Concept

Here’s a minimal malicious contract that can exploit the vulnerability if set as the s_collector:

contract MaliciousCollector {

address public vulnerable;

constructor(address _target) {

vulnerable = _target;

}

receive() external payable {

// Reenter collectFee while ETH is being sent

Snow(vulnerable).collectFee();

}

function attack() external {

Snow(vulnerable).collectFee(); // Initial call triggers reentrancy

}

✅ Set s_collector = MaliciousCollector, then call attack() to recursively drain ETH.

🛠️ Recommended Mitigation

✅ Use Reentrancy Protection

Import OpenZeppelin’s ReentrancyGuard:

+ import {ReentrancyGuard} from "@openzeppelin/contracts/security/ReentrancyGuard.sol";

Apply nonReentrant to the vulnerable function:

- contract Snow is ERC20, Ownable {

+ contract Snow is ERC20, Ownable, ReentrancyGuard {

- function collectFee() external onlyCollector {

+ function collectFee() external onlyCollector nonReentrant {

🧱 Optional: Use Checks-Effects-Interactions Pattern

Move ETH transfer logic to the end of the function and update state before external interactions, if applicable.

🛡️ Security Recommendations

Always protect external ETH transfers with reentrancy guards.
Favor call with caution and ensure minimal logic is executed after external calls.
Restrict sensitive roles like s_collector to EOAs or audited contracts.

Rewards breakdown

nSLOC

215

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.