Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[M-2] Dynamic amount in signature causes claim failure if receiver's token balance changes

marina_ciuperca

Root + Impact

Description

The getMessageHash() function calculates the message hash using the receiver's current token balance at the time of signing. If the receiver's balance changes between signing and claiming (due to transfers, rewards, or any other token movement), the signature becomes invalid.

function getMessageHash(address receiver) public view returns (bytes32) {

if (i_snow.balanceOf(receiver) == 0) {

revert SA__ZeroAmount();

}

uint256 amount = i_snow.balanceOf(receiver); // Dynamic - changes over time!

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

In the claimSnowman() function, the same dynamic balance is used for verification.

uint256 amount = i_snow.balanceOf(receiver); // Must match signed amount

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

Risk

Likelihood:

Medium to High depending on ecosystem activity
Common scenarios: receiving additional tokens from other users, staking rewards, trading activity
Time gap between merkle tree generation, user signing, and claim execution increases probability

Impact:

Valid signatures become invalid if token balance changes
Users must re-sign every time their balance changes before claiming
Poor user experience and potential loss of claim opportunity
Creates a race condition between signing and claiming

Proof of Concept

Add this test to the test file TestSnowmanAirdrop.t.sol to check that signature fails when the amount changes:

function testClaimFailsWhenBalanceChanges() public {

// Give Alice exactly 25e18 tokens (matching merkle tree)

deal(address(snow), alice, 25e18);

assert(snow.balanceOf(alice) == 25e18);

assert(nft.balanceOf(alice) == 0);

// Alice approves the airdrop contract

vm.prank(alice);

snow.approve(address(airdrop), type(uint256).max);

// Alice signs the message with her current balance (25e18)

bytes32 alDigest = airdrop.getMessageHash(alice);

(uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest);

// BEFORE claiming, increase Alice's balance

deal(address(snow), alice, 35e18);

assert(snow.balanceOf(alice) == 35e18); // Balance changed!

// Attempt to claim - will FAIL with InvalidSignature

// because the signature was created with balance 25e18

// but now balance is 35e18

vm.prank(alice);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); // ← Changed!

airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS);

}

Recommended Mitigation

Pass the amount as a parameter instead of reading it dynamically:

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external

nonReentrant

{

if (receiver == address(0)) {

revert SA__ZeroAddress();

}

- if (i_snow.balanceOf(receiver) == 0) {

- revert SA__ZeroAmount();

- }

+ if (amount == 0) {

+ revert SA__ZeroAmount();

+ }

- if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {

+ if (!_isValidSignature(receiver, getMessageHash(receiver, amount), v, r, s)) {

revert SA__InvalidSignature();

}

- uint256 amount = i_snow.balanceOf(receiver);

+ // Verify user has at least the amount they're claiming

+ if (i_snow.balanceOf(receiver) < amount) {

+ revert SA__InsufficientBalance();

+ }

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

i_snow.safeTransferFrom(receiver, address(this), amount);

s_hasClaimedSnowman[receiver] = true;

emit SnowmanClaimedSuccessfully(receiver, amount);

i_snowman.mintSnowman(receiver, amount);

}

Update getMessageHash():

- function getMessageHash(address receiver) public view returns (bytes32) {

+ function getMessageHash(address receiver, uint256 amount) public pure returns (bytes32) {

- if (i_snow.balanceOf(receiver) == 0) {

- revert SA__ZeroAmount();

- }

- uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!