Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`SnowmanAirdrop::claimSnowman` uses live `balanceOf` for both Merkle leaf and transfer amount, making the claim fragile and exploitable

alvap

Root + Impact

Description

The claimSnowman function in SnowmanAirdrop.sol reads i_snow.balanceOf(receiver) at line 84 to determine the amount used for both the Merkle leaf verification (line 86) and the token transfer (line 92). The Merkle tree is built with a snapshot of user balances at tree generation time. If the user's balance changes between tree generation and claim time (e.g., they buy/earn more tokens, or transfer some away), the Merkle proof will fail because the leaf no longer matches.

// SnowmanAirdrop.sol, lines 76-92
if (i_snow.balanceOf(receiver) == 0) { revert SA__ZeroAmount(); }
// ...
uint256 amount = i_snow.balanceOf(receiver); // @audit Live balance, not a fixed claim amount
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); }
i_snow.safeTransferFrom(receiver, address(this), amount);

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

Users who legitimately earn or buy additional Snow tokens after the Merkle tree snapshot will be unable to claim their airdrop because their current balance no longer matches the stored Merkle leaf. Conversely, this creates a dependency on the user maintaining the exact same balance, which is unreliable in a live environment. The claim function should accept the amount as a parameter (as it is already part of the Merkle leaf) rather than reading it from live state.

Proof of Concept

  1. Merkle tree generated with Alice's balance = 1 Snow token.

  2. Alice buys 1 more Snow token. Her balance is now 2.

  3. Alice calls claimSnowman. The function reads balanceOf(alice) = 2.

  4. The leaf is computed as keccak256(keccak256(abi.encode(alice, 2))).

  5. The Merkle proof was generated for keccak256(keccak256(abi.encode(alice, 1))).

  6. Proof verification fails. Alice cannot claim.

Recommended Mitigation

Pass the amount as a function parameter and use it for both the Merkle proof and the transfer:

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
if (receiver == address(0)) { revert SA__ZeroAddress(); }
- if (i_snow.balanceOf(receiver) == 0) { revert SA__ZeroAmount(); }
+ if (amount == 0) { revert SA__ZeroAmount(); }
// ...
- uint256 amount = i_snow.balanceOf(receiver);
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!