Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[M-2] State-Dependent Signature Design Causes Unreliable and Fragile Authorization

lmsand

Root + Impact

Root: Signature Depends on Dynamic balanceOf
Impact: Invalid Signatures / Broken UX

Description

The contract generates the signed message hash using the receiver’s current Snow balance.
This value is used in the EIP-712 digest.
Because amount is derived from balanceOf(receiver), the signed message is dependent on dynamic on-chain state rather than fixed user input. This creates a design flaw where signatures are only valid for a specific balance at a specific moment in time.

uint256 amount = i_snow.balanceOf(receiver);

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

Risk

Likelihood: Medium

Reason: Balance changes are common in token systems, making signature invalidation likely in real usage.

Impact:

Signatures become invalid if the user’s balance changes after signing

Users cannot reliably generate valid signatures

Claims may unexpectedly fail due to unrelated balance changes
Breaks the expected determinism of EIP-712 signatures

Proof of Concept

The following scenario demonstrates how a valid signature becomes invalid due to a balance change.

Step-by-step:

Initial State
- User has 10 Snow tokens
- User generates and signs a message (digest includes amount = 10)
State Change
- User’s Snow balance changes (e.g., receives more tokens → balance = 20)
Claim Attempt
- Contract recomputes the digest using current balance (amount = 20)
- The new digest no longer matches the original signed message
Result
- Signature verification fails
- Claim reverts with SA__InvalidSignature

// Step 1: user signs with balance = 10

bytes32 digest = airdrop.getMessageHash(user);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(userKey, digest);

// Step 2: balance changes

deal(address(snow), user, 20 ether);

// Step 3: claim fails due to signature mismatch

vm.prank(user);

vm.expectRevert();

airdrop.claimSnowman(user, proof, v, r, s);

Recommended Mitigation

Use a fixed amount parameter instead of deriving it from balanceOf.
Then:
- Include amount in:
  - the signed message
  - the Merkle leaf

- remove this code

+ add this code

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 6 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!