Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Malformed MESSAGE_TYPEHASH in SnowmanAirdrop breaks standard EIP-712 signatures, disabling claim-on-behalf for all standard wallets

Root + Impact

Description

  • The protocol's stated feature set includes claiming "directly or via someone else using cryptographic signatures" — i.e. a recipient signs an EIP-712 message and a third party submits it via claimSnowman(receiver, proof, v, r, s).

  • The EIP-712 type string in MESSAGE_TYPEHASH is malformed: receiver's type is misspelled addres (not address). Any EIP-712-compliant signer derives the type hash from the correctly-spelled struct definition, producing a different digest than the contract computes. _isValidSignature recovers over the contract's malformed digest, so a standard signature never recovers to receiver and the claim reverts.

// src/SnowmanAirdrop.sol:49
bytes32 private constant MESSAGE_TYPEHASH =
keccak256("SnowmanClaim(addres receiver, uint256 amount)");
@> // ^^^^^^ "addres" — not the struct's actual `address receiver`

The digest is built with this constant in getMessageHash (:119-121) and recovered against it in _isValidSignature (:107-108); mismatch reverts SA__InvalidSignature at :80-81.

Risk

Likelihood:

  • Every signature produced by a standard EIP-712 wallet (eth_signTypedData_v4) or library, which reconstructs the type hash from the struct, fails to verify. This is the normal, documented way to produce the required v, r, s.

Impact:

  • The claim-on-behalf mechanism — a core advertised feature — is unusable for any standard signer. Recipients relying on standard tooling to delegate their claim are permanently unable to do so.

Proof of Concept

A signature over the correctly-spelled EIP-712 type (what any compliant wallet produces) is rejected:

function testPoC_TypehashBreaksStandardSig() public {
bytes32 CORRECT_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");
bytes32 domainSeparator = keccak256(abi.encode(
keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),
keccak256(bytes("Snowman Airdrop")),
keccak256(bytes("1")),
block.chainid,
address(airdrop)
));
uint256 amount = snow.balanceOf(alice); // == 1
bytes32 structHash = keccak256(abi.encode(CORRECT_TYPEHASH, alice, amount));
bytes32 standardDigest = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
assertTrue(standardDigest != airdrop.getMessageHash(alice)); // digests differ
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, standardDigest);
vm.prank(alice);
snow.approve(address(airdrop), 1);
vm.prank(satoshi);
vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); // reverts at :80-81
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
assertEq(nft.balanceOf(alice), 0); // claim did not go through
}

Recommended Mitigation

The type string must exactly match the EIP-712 canonical encodeType of the SnowmanClaim struct — address (correcting the addres typo) and no space after the comma, per the EIP-712 spec (encodeType omits whitespace). Once the on-chain constant matches the struct type, digests produced by standard signers match what getMessageHash computes, and _isValidSignature recovers to receiver, restoring the claim-on-behalf flow.

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!