s_earnTimer can be updated by anyone calling buySnow(); should be a mapping of address to uint256
Root + Impact
Description
-
The normal behavior of a user earning the Snow token should be that the duration of their earning time be specific to that user's address.
-
The issue is that the `Snow` contract uses a single number as the state variable `uint256 private s_earnTimer`. This does not allow for individualized mapping of a user's address to their earning timer, at least not in the expected manner. `s_earnTimer` is updated anytime the function `buySnow` is called. This functionality of an earn timer being reset by buying snow is not indicated in the README, i.e., the action of earning itself increasing the ability to earn.
Risk
Likelihood:
-
This will occur WHEN any user, even one user, calls
buySnow(). -
When multiple users participate in the protocol, they will update
s_earnTimerby callingbuySnow().
Impact:
-
By updating
s_earnTimeranytimebuySnow()is called, every other user will now be participating in a protocol which has updated his own conditions of participation unbeknownst to him, i.e., the protocol does not make it obvious that EVERY user's earn timer is updating when ONE user callsbuySnow(), and the protocol does not wish to have that mechanism. -
With
s_earnTimergetting updated continually, each user can never be sure of their particular earn timer, in fact, the mechanism of them having a particular earn timer has been destroyed.
Proof of Concept
The above test testEarnTimerIsUpdatedByBuySnow asserts that s_earnTimer is updated when a user calls buySnow().
The above test testNewBuySnowDifferentiatesEarnTimer asserts that s_earnTimerMapping is updated to add particular information for address msg.sender and not for all addresses.
Recommended Mitigation
Above we have included newBuySnow() as a proof of concept for updating a mapping instead of a single uint256. Our testing function testNewBuySnowDifferentiatesEarnTimer asserts the functionality of using a mapping to differentiate and update earn timers between multiple users.
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.