Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Global Timer Breaks earnSnow() Function

sharthak18

Description

The s_timer variable is a single global variable shared across all users. When any user calls earnSnow(), it updates this timer and blocks all other users for one week.

@> uint256 private s_earnTimer; // Single global variable shared by all users
function earnSnow() external canFarmSnow {
if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
_mint(msg.sender, 1);
@> s_earnTimer = block.timestamp; // Updates global timer, blocking ALL users
}
function buySnow(uint256 amount) external payable canFarmSnow {
// ...
@> s_earnTimer = block.timestamp; // Also resets timer, blocking earnSnow users
}

Risk

Likelihood: High

  • After one user earn snow token, the global timer update and block all other user from claim snow token.

  • After one user buy snow token, the global timer reset and block all user to earn


Impact: High

  • Only one user can earn snow tokens per week globally

Proof of Concept

Create a file on test folder an paste the code there.
This test proof that after one user earn others can't & after one user buy the claim users also can't claim on that week

// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;
import {Test, console} from "forge-std/Test.sol";
import {Snow} from "../src/Snow.sol";
import {Snowman} from "../src/Snowman.sol";
import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";
import {DeploySnow} from "../script/DeploySnow.s.sol";
import {MockWETH} from "../src/mock/MockWETH.sol";
contract AllVulnerabilitiesPoC is Test {
// Snow.sol contracts
Snow snow;
DeploySnow deployer;
MockWETH weth;
address collector;
uint256 FEE;
// Snowman.sol and SnowmanAirdrop.sol contracts
Snowman snowman;
SnowmanAirdrop airdrop;
bytes32 merkleRoot = bytes32(0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef);
// Test addresses
address alice;
address bob;
address charlie;
address attacker;
function setUp() public {
// Deploy Snow.sol contracts
deployer = new DeploySnow();
snow = deployer.run();
weth = deployer.weth();
collector = deployer.collector();
FEE = deployer.FEE();
// Deploy Snowman.sol and SnowmanAirdrop.sol contracts
snowman = new Snowman("ipfs://snowman");
airdrop = new SnowmanAirdrop(merkleRoot, address(snow), address(snowman));
// Create test addresses
alice = makeAddr("alice");
bob = makeAddr("bob");
charlie = makeAddr("charlie");
attacker = makeAddr("attacker");
// Fund users
deal(alice, 100 ether);
deal(bob, 100 ether);
deal(charlie, 100 ether);
deal(attacker, 100 ether);
weth.mint(alice, 100 * FEE);
weth.mint(bob, 100 * FEE);
weth.mint(charlie, 100 * FEE);
weth.mint(attacker, 100 * FEE);
}
/// @notice PoC: Global timer prevents all users from earning after first claim
function test_Snow_GlobalTimerBlocksAllUsers() public {
vm.prank(alice);
snow.earnSnow();
assertEq(snow.balanceOf(alice), 1);
vm.warp(block.timestamp + 1);
vm.prank(bob);
vm.expectRevert(Snow.S__Timer.selector);
snow.earnSnow();
vm.warp(block.timestamp + 1 weeks - 1);
vm.prank(bob);
snow.earnSnow();
assertEq(snow.balanceOf(bob), 1);
vm.prank(alice);
vm.expectRevert(Snow.S__Timer.selector);
snow.earnSnow();
}
/// @notice PoC: buySnow() resets global timer, blocking all earnSnow() users
function test_Snow_BuySnowResetsTimerBlockingAllEarns() public {
vm.prank(alice);
snow.earnSnow();
vm.warp(block.timestamp + 1 weeks);
vm.prank(attacker);
snow.buySnow{value: FEE}(1);
vm.prank(alice);
vm.expectRevert(Snow.S__Timer.selector);
snow.earnSnow();
}

Recommended Mitigation

uaing a mappin with userTimer would solve the problem

- function earnSnow() external canFarmSnow {
- if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
- revert S__Timer();
- }
- _mint(msg.sender, 1);
-
- s_earnTimer = block.timestamp;
- }
+ // Use mapping for per-user timers
+ mapping(address => uint256) private s_userTimers;
+ function earnSnow() external {
+ if (block.timestamp - s_userTimers[msg.sender] < 1 weeks) revert S__Timer();
+ s_userTimers[msg.sender] = block.timestamp;
+ _mint(msg.sender, 1);
+}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!