Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: medium
Valid

Claim binds to live balanceOf(receiver): a 1-wei Snow transfer permanently griefs any pending claim

Root + Impact

Description

  • To claim, a recipient signs an EIP-712 message and approves the airdrop; claimSnowman then verifies the signature and Merkle proof and pulls the recipient's Snow. Both the signed digest and the Merkle leaf derive the claim amount from the recipient's live balanceOf, not from a value fixed at signing time.

  • getMessageHash reads i_snow.balanceOf(receiver) (:117) to build the digest, and claimSnowman re-reads it for the leaf (:84, :86). Any third party who changes the recipient's Snow balance after they sign — by sending as little as 1 wei of Snow — makes getMessageHash(receiver) recompute over a different amount. The recipient's pre-signed signature no longer recovers to receiver, so the claim reverts at the signature check (:80-81), before the Merkle check is ever reached. The recipient is locked out.

// src/SnowmanAirdrop.sol
function getMessageHash(address receiver) public view returns (bytes32) {
...
@> uint256 amount = i_snow.balanceOf(receiver); // :117 — live balance drives the digest
return _hashTypedDataV4(
keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))
);
}
function claimSnowman(...) external nonReentrant {
...
@> if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {
revert SA__InvalidSignature(); // :80-81 — fires first on perturbed balance
}
uint256 amount = i_snow.balanceOf(receiver); // :84 — leaf also live-bound
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); // :86
...
}

Risk

Likelihood:

  • The griefer needs only 1 wei of Snow, which is permissionlessly obtainable (earnSnow mints it free, or buySnow). The dust send is a normal ERC20 transfer and can be front-run ahead of the victim's claim.

  • Repeatable: if the victim sends the dust away to restore the committed balance, the griefer re-sends, so the lockout is sustainable.


Impact:

  • The recipient cannot claim their Snowman for as long as the griefer maintains the balance perturbation — a denial of the core claim function targeting any chosen recipient.

  • No funds are stolen; the harm is loss of access to the airdrop, hence Medium rather than High overall.

Proof of Concept

bob (an unprivileged third party, distinct from victim alice) sends 1 wei of Snow to alice after she has signed; her legitimate claim then reverts and she receives no NFT:

function testPoC_DustGriefsClaim() public {
// alice signs over her committed amount (1) — the legitimate pre-sign
bytes32 alDigest = airdrop.getMessageHash(alice); // amount == 1
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, alDigest);
vm.prank(alice);
snow.approve(address(airdrop), 1);
// permissionless griefer: bob holds 1 Snow from setUp, sends it to alice
vm.prank(bob);
snow.transfer(alice, 1);
assertEq(snow.balanceOf(alice), 2); // perturbed off committed value
// claim on alice's behalf now reverts — she is locked out
vm.prank(satoshi);
vm.expectRevert(); // reverts SA__InvalidSignature at :80-81
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
assertEq(nft.balanceOf(alice), 0);
}

Recommended Mitigation


Fix the claim amount at signing time by making it an explicit parameter that the signature and the Merkle leaf both bind to, instead of reading live balanceOf

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
if (receiver == address(0)) { revert SA__ZeroAddress(); }
- if (i_snow.balanceOf(receiver) == 0) { revert SA__ZeroAmount(); }
+ if (amount == 0) { revert SA__ZeroAmount(); }
- if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {
+ if (!_isValidSignature(receiver, getMessageHash(receiver, amount), v, r, s)) {
revert SA__InvalidSignature();
}
- uint256 amount = i_snow.balanceOf(receiver);
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
...
}
- function getMessageHash(address receiver) public view returns (bytes32) {
+ function getMessageHash(address receiver, uint256 amount) public view returns (bytes32) {
- if (i_snow.balanceOf(receiver) == 0) { revert SA__ZeroAmount(); }
- uint256 amount = i_snow.balanceOf(receiver);
+ if (amount == 0) { revert SA__ZeroAmount(); }
return _hashTypedDataV4(
keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))
);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!