earnSnow Global Timer Prevents Most Users From Earning Snow and Claiming Airdrop
earnSnow Global Timer Prevents Most Users From Earning Snow and Claiming Airdrop
Description
The Snow token is designed so users can either buy Snow or earn 1 Snow per week for free via earnSnow(). The intended behavior is that each user can earn once per week. The claimSnowman function in SnowmanAirdrop requires i_snow.balanceOf(receiver) > 0, so recipients must hold Snow to claim.
The earnSnow() function uses a single global s_earnTimer to enforce the "once per week" cooldown. When any user calls earnSnow(), it updates s_earnTimer = block.timestamp. The check block.timestamp < (s_earnTimer + 1 weeks) then blocks all other users from earning for the next week. Effectively, only one user globally can earn Snow per week instead of each user earning once per week.
Risk
Likelihood (high):
The bug is present in the deployed contract; no special conditions are required.
The first user to call
earnSnow()each week locks out all other users for that week.Over the 12-week
FARMING_DURATION, at most ~12 users can ever earn Snow viaearnSnow().
Impact (high):
Recipients in the Merkle tree who were expected to earn Snow for free cannot obtain a balance.
Without Snow balance, they cannot pass
i_snow.balanceOf(receiver) == 0check and cannot claim their airdrop.Core airdrop distribution is broken for the vast majority of intended free earners.
Severity (high):
Proof of Concept
Merkle tree includes 1000 recipients expected to earn 1 Snow each via
earnSnow().User A calls
earnSnow()at week 1;s_earnTimeris set.User B tries
earnSnow()in week 1; reverts withS__Timer().User C, D, ... all revert until week 2.
Only one user can earn per week; over 12 weeks, at most 12 users earn Snow.
The remaining 988 recipients have 0 Snow and cannot call
claimSnowman.
Recommended Mitigation
Use per-user tracking instead of a global timer.
Remove s_earnTimer = block.timestamp from buySnow() (line 89) as it is unrelated to earning and incorrectly affects the earn cooldown.
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.