Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Amount Read from Balance Instead of Signed Message

sharthak18

Description

Line 86 reads amount from current balance instead of using the signed amount from the message. This allows manipulation and frontrunning.

function claimSnowman(..., uint256 amount, ...) external {

// 'amount' parameter is from signed message

// BUT line 86 ignores it and uses current balance:

@> uint256 amount = i_snow.balanceOf(receiver); // WRONG!

// Should use the signed 'amount' parameter instead

}

Risk

Likelihood:

When user try to claim snowman NFT

Impact:

Signed amount is ignored; vulnerable to frontrunning

Proof of Concept

Creat a file inside the test folder and paste the code

Attack Scenarios:

User signs message for 100 tokens
Attacker frontruns, transferring Snow tokens to victim
Victim claims more than signed amount
OR attacker frontruns by removing tokens to grief victim

// SPDX-License-Identifier: MIT

pragma solidity 0.8.24;

import {Test, console} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {DeploySnow} from "../script/DeploySnow.s.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

contract AllVulnerabilitiesPoC is Test {

// Snow.sol contracts

Snow snow;

DeploySnow deployer;

MockWETH weth;

address collector;

uint256 FEE;

// Snowman.sol and SnowmanAirdrop.sol contracts

Snowman snowman;

SnowmanAirdrop airdrop;

bytes32 merkleRoot = bytes32(0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef);

// Test addresses

address alice;

address bob;

address charlie;

address attacker;

function setUp() public {

// Deploy Snow.sol contracts

deployer = new DeploySnow();

snow = deployer.run();

weth = deployer.weth();

collector = deployer.collector();

FEE = deployer.FEE();

// Deploy Snowman.sol and SnowmanAirdrop.sol contracts

snowman = new Snowman("ipfs://snowman");

airdrop = new SnowmanAirdrop(merkleRoot, address(snow), address(snowman));

// Create test addresses

alice = makeAddr("alice");

bob = makeAddr("bob");

charlie = makeAddr("charlie");

attacker = makeAddr("attacker");

// Fund users

deal(alice, 100 ether);

deal(bob, 100 ether);

deal(charlie, 100 ether);

deal(attacker, 100 ether);

weth.mint(alice, 100 * FEE);

weth.mint(bob, 100 * FEE);

weth.mint(charlie, 100 * FEE);

weth.mint(attacker, 100 * FEE);

}

function test_Airdrop_AmountManipulation() public {

// Setup: Alice buys 5 Snow tokens

vm.prank(alice);

snow.buySnow{value: FEE * 5}(5);

uint256 aliceBalance = snow.balanceOf(alice);

assertEq(aliceBalance, 5);

// VULNERABILITY PROOF:

// The claimSnowman function (line 86) uses:

// uint256 amount = i_snow.balanceOf(receiver);

// This means the amount is NOT from the signed message parameter!

// It reads the CURRENT balance, which can be manipulated via frontrunning

// Scenario: Alice signed a message for 100 tokens

// But attacker frontruns and transfers 50 more tokens to Alice

// Now Alice claims 150 instead of the signed 100

// OR attacker removes tokens to grief Alice

// The signed amount parameter in claimSnowman is completely IGNORED!

console.log("Alice balance:", snow.balanceOf(alice));

console.log("Amount used in claim will be balance, NOT signed amount!");

}

Recommended Mitigation

function claimSnowman(..., uint256 amount, ...) external {

// Use the signed amount parameter, not balance

// Remove line 86: uint256 amount = i_snow.balanceOf(receiver);

// Verify user has enough balance

if (i_snow.balanceOf(receiver) < amount) revert InsufficientBalance();

// Rest of validation...

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!