`Snowman::mintSnowman` mints NFTs in an unbounded loop using `_safeMint`, creating a DoS risk and potential reentrancy vector
Root + Impact
Description
The mintSnowman function in Snowman.sol (lines 36-44) loops amount times, calling _safeMint for each iteration. The _safeMint function calls onERC721Received on the recipient if it is a contract, which introduces two risks:
the loop completes.
Denial of Service: If
amountis very large, the loop may exceed the block gas limit, making the transaction impossible to execute.Reentrancy via
onERC721Received: Each_safeMintcall invokes the receiver'sonERC721Receivedcallback, which could re-enter theSnowmanAirdropcontract or other contracts before
Risk
Likelihood:
-
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
-
Reason 2
Impact:
A malicious receiver contract could use the onERC721Received callback to re-enter. While the SnowmanAirdrop::claimSnowman function uses nonReentrant, the Snowman contract itself has no such protection, and if mintSnowman is called directly (which is possible due to [H-1]), the callback can be exploited. Additionally, a legitimate user with a very large Snow token balance could find it impossible to claim because the gas required to mint that many NFTs exceeds the block gas limit.
Proof of Concept
Recommended Mitigation
Consider using _mint instead of _safeMint to avoid the callback (since the receiver has explicitly initiated the claim), or add a maximum mint cap:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.