Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[H-2] Global Earn Timer Enables Denial of Service on earnSnow()

lmsand

Root + Impact

Root: Shared Timer State
Impact: Reward Function Disabled

Description

The contract enforces a cooldown on earnSnow() using a single global variable.
The contract uses cooldown logic, implemented as an if statement.
But the timer is updated in both earnSnow() and buySnow().
Because s_earnTimer is shared across all users, any call to buySnow() resets the cooldown timer globally.

This creates a flaw where one user can continuously update the timer, preventing all other users from satisfying the cooldown condition required to call earnSnow().

uint256 private s_earnTimer;

if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

revert S__Timer();

}

s_earnTimer = block.timestamp;

Risk

Likelihood: High

Reason:** The attack requires no special permissions and can be executed by any user with minimal cost by periodically calling buySnow() to reset the global timer.

Impact:

Any user can prevent all others from earning Snow tokens

The earnSnow() function becomes effectively unusable

Disrupts a core protocol feature (weekly reward distribution)
Attack is cheap to maintain (only requires periodic calls to buySnow())

Proof of Concept

The following test demonstrates how an attacker can block another user from calling earnSnow() by resetting the global timer.

Step-by-step:

Attacker Action
- The attacker calls buySnow()
- This updates s_earnTimer to the current block timestamp
Victim Attempt
- Another user attempts to call earnSnow()
- The function checks whether 1 week has passed since the last timer update
Failure Condition
- Since the attacker just updated the timer, the cooldown condition fails
- The victim’s transaction reverts with S__Timer()
Sustained Attack
- The attacker can repeatedly call buySnow() before the cooldown expires
- This keeps resetting the timer and permanently blocks all users from earning

function test_DoS_EarnSnow() public {

address attacker = address(1);

address victim = address(2);

vm.deal(attacker, 10 ether);

// Attacker resets timer

vm.prank(attacker);

snow.buySnow{value: snow.s_buyFee()}(1);

// Victim attempts to earn

vm.prank(victim);

vm.expectRevert();

snow.earnSnow();

}

Recommended Mitigation

Replace the global timer with a per-user mapping.
Update logic according to the new mapping.
Remove the timer update from buySnow()

- s_earnTimer = block.timestamp;

- uint256 private s_earnTimer;

+ mapping(address => uint256) private s_earnTimer;

+if (

+ s_earnTimer[msg.sender] != 0 &&

+ block.timestamp < (s_earnTimer[msg.sender] + 1 weeks)

+) {

+ revert S__Timer();

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 6 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!