Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

Missing zero-address and input validation

khushisahu26903

Root + Impact

Description

The SnowmanAirdrop contract processes claims using provided addresses, amounts, and Merkle proofs.
Several functions do not validate critical inputs such as zero addresses or zero amounts. This can lead to unintended behavior, misleading events, or NFTs being minted to invalid addresses.

// Root cause: missing input validation

// @> No checks for zero address or zero amount

function claim(address receiver, uint256 amount, bytes32[] calldata proof) external {

// ...

}

Risk

Likelihood:

Occurs when users mistakenly submit invalid inputs
Occurs during integrations or scripting errors

Impact:

Impact 1: NFTs may be minted to invalid addresses

Impact 2: Contract behavior becomes unpredictable or misleading

Proof of Concept

// receiver = address(0)

// amount = 0

// Function executes without reverting

claim(address(0), 0, proof);

Recommended Mitigation

+ require(receiver != address(0), "Invalid receiver");

+ require(amount > 0, "Invalid amount");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!