Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

EIP-712 TypeHash Typo Breaks Claim Functionality

fabriziogiannitrapa

EIP-712 TypeHash Typo Breaks Claim Functionality

Description

The claimSnowman function requires a valid EIP-712 signature to authorize claims. The digest is built via getMessageHash, which uses MESSAGE_TYPEHASH in the typed data encoding. Per EIP-712, the type string must exactly match between signer and verifier for signature validation to succeed.

The MESSAGE_TYPEHASH contains a typo: "addres" instead of the correct Solidity/EIP-712 type "address". Any off-chain signer following the EIP-712 specification will use "SnowmanClaim(address receiver, uint256 amount)", producing a different type hash and thus a different digest. The contract will compute a different digest and ECDSA.recover will not return the expected signer, causing all signature checks to fail.

// @> Root cause: "addres" is not a valid EIP-712 type; must be "address"
bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Risk

Likelihood (high):

  • The typo is present in the deployed contract; no runtime condition is required for it to manifest.

  • Any standard EIP-712 signer (e.g. ethers.js, viem, wallet signing) uses the correct "address" type string.

  • The mismatch occurs on every claim attempt.

Impact (high):

  • All legitimate claims fail with SA__InvalidSignature().

  • Core airdrop functionality is unusable; no user can claim Snowman NFTs.

  • Airdrop funds remain locked with no way to distribute them as intended.

Severity (high):

Proof of Concept

  1. Off-chain signer creates a valid EIP-712 signature using "SnowmanClaim(address receiver, uint256 amount)".

  2. User calls claimSnowman(receiver, merkleProof, v, r, s).

  3. Contract computes getMessageHash(receiver) using MESSAGE_TYPEHASH with "addres".

  4. keccak256("SnowmanClaim(addres receiver, uint256 amount)") != keccak256("SnowmanClaim(address receiver, uint256 amount)").

  5. The digest used for verification differs from the one the signer signed.

  6. ECDSA.tryRecover returns an address that does not match receiver.

  7. _isValidSignature returns false; transaction reverts with SA__InvalidSignature().

// Demonstrates the hash mismatch
bytes32 wrongHash = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
bytes32 correctHash = keccak256("SnowmanClaim(address receiver, uint256 amount)");
assert(wrongHash != correctHash); // Hashes differ; signatures will never verify

Recommended Mitigation

Fix the signature for the typehash.

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

Ensure the off-chain signer uses the exact same type string: "SnowmanClaim(address receiver, uint256 amount)".

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 12 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!