Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

Submission Details

Impact: medium

Likelihood: low

Invalid

claimSnowman() Reads balanceOf Multiple Times (TOCTOU)

i_snow.balanceOf(receiver) is called on line 76 (zero check) and again on line 84 (actual amount). Additionally, getMessageHash() reads the balance two more times (lines 113, 117). Total: 4 reads of the same value in a single claim flow.

// Root cause in the codebase with @> marks to highlight the relevant section

Likelihood:

Low with current standard ERC20, but any token with transfer hooks could change balance between reads.

Impact:

Merkle proof could be computed on a different amount than what gets transferred.

if (i_snow.balanceOf(receiver) == 0) { // read #1

revert SA__ZeroAmount();

}

// getMessageHash(receiver) reads balanceOf twice more

uint256 amount = i_snow.balanceOf(receiver); // read #4

+ uint256 amount = i_snow.balanceOf(receiver);

+ if (amount == 0) revert SA__ZeroAmount();

Updates

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

This contest has a flat reward structure with the following payouts:

The contest is live. Earn rewards by submitting a finding.

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.