Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Global Earn Timer Causes Permanent Snow Farming Denial-of-Service

web3mio

Summary

The earnSnow() mechanism is implemented using a single global timestamp (s_earnTimer) that is shared across all users. Because this timer is reset on every buySnow() call, it allows any purchase—malicious or otherwise—to block all users from earning free Snow tokens. This breaks the intended “1 Snow per user per week” reward model and introduces a protocol-wide denial-of-service (DoS) vector.

Affected Code

uint256 private s_earnTimer;

function buySnow(uint256 amount) external payable canFarmSnow {

...

s_earnTimer = block.timestamp; // reset earn timer on buy

}

function earnSnow() external canFarmSnow {

if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

s_earnTimer = block.timestamp;

}

Root Cause

The contract uses a global cooldown variable (s_earnTimer) to enforce a weekly earning limit. This timer is:

Reset on every buySnow() call, regardless of who calls it
Checked globally in earnSnow(), instead of per user

As a result, the cooldown logic is enforced across the entire protocol, not per address.

Impact

❌ The “earn 1 Snow per week” feature is not per user, but effectively per contract
❌ Any user can indefinitely prevent all others from earning by buying Snow once every < 7 days
❌ Normal protocol activity (legitimate buys) can accidentally DoS the earn mechanism
❌ The system does not behave as documented or expected

This turns the earn feature into a globally rate-limited faucet that is trivially griefable.

Attack / Failure Scenario

User A buys Snow → s_earnTimer = now
User B attempts to call earnSnow() → reverts
Any user buys Snow again within a week → timer resets
This cycle can repeat forever, permanently blocking earning

No special permissions or capital are required.

Recommendation

Track earn cooldowns per user, not globally.

mapping(address => uint256) private s_lastEarnTime;

function earnSnow() external canFarmSnow {

uint256 last = s_lastEarnTime[msg.sender];

if (last != 0 && block.timestamp < last + 1 weeks) revert S__Timer();

_mint(msg.sender, 1);

s_lastEarnTime[msg.sender] = block.timestamp;

emit SnowEarned(msg.sender, 1);

}

If buying Snow is intended to delay only the buyer’s earning eligibility, update their personal timestamp in buySnow() instead of a global variable.

Severity

High — Core protocol functionality can be permanently disabled by any user with minimal cost.

Proof of Concept (Foundry)

This PoC demonstrates that any call to buySnow() resets the global s_earnTimer, causing all users to revert in earnSnow() for the next 7 days, regardless of who bought.

function test_GlobalEarnTimer_AllUsersDoSAfterAnyBuy() public {

// Actors

address attacker = makeAddr("attacker");

address victim = makeAddr("victim");

// Fund attacker with enough ETH to buy (or use WETH path depending on deployment)

// We'll use ETH path for simplicity.

vm.deal(attacker, 100 ether);

// 1) First, victim successfully earns when s_earnTimer == 0

vm.prank(victim);

snow.earnSnow();

assertEq(snow.balanceOf(victim), 1);

// Move time forward > 1 week so victim would normally be eligible again

vm.warp(block.timestamp + 1 weeks + 1);

// 2) Attacker buys Snow, which resets the GLOBAL s_earnTimer

uint256 amount = 1;

uint256 cost = snow.s_buyFee() * amount;

vm.prank(attacker);

snow.buySnow{value: cost}(amount);

// 3) Victim tries to earn immediately after attacker buy -> reverts due to global cooldown

vm.prank(victim);

vm.expectRevert(Snow.S__Timer.selector);

snow.earnSnow();

// 4) Attacker can keep the earn feature DOS'd by buying once every < 7 days

vm.warp(block.timestamp + 6 days);

vm.prank(attacker);

snow.buySnow{value: cost}(amount);

// Victim still can't earn

vm.prank(victim);

vm.expectRevert(Snow.S__Timer.selector);

snow.earnSnow();

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 12 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!