Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Incorrect msg.value Handling in buySnow

yaioxy

Root + Impact

Description

buySnow is designed to support either ETH payments or WETH payments for buying Snow tokens. When paying with WETH, no ETH should be sent (msg.value == 0). When paying with ETH, the exact ETH amount must be provided.

In the WETH payment path, there is no check that msg.value is zero.
If a user sends a non-zero msg.value that does not match s_buyFee * amount, the ETH path is skipped and the WETH transfer path executes instead—silently accepting ETH that was not intended to be paid.

This leads to unintended ETH being lost by the user

function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
// @> msg.value is not checked to be zero here
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
}

Risk

Likelihood:

  • Occurs whenever a user mistakenly sends ETH while intending to pay with WETH

Impact:

  • User will lost their ETH, and the funds can only be recovered by the fee collector, not the user

Proof of Concept

Recommended Mitigation

Explicitly enforce msg.value == 0 in the WETH branch.

function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
+ require(msg.value == 0, "ETH not allowed when paying with WETH");
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 13 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!