Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Global Timer Reset in `buySnow()` Breaks Independent Weekly Earning Requirement

akovachev7

Root + Impact

Description

According to the business requirements, the Snow token protocol should allow users to:

  • Earn Snow for free once a week (independent action per user)

  • Buy Snow at anytime (independent action per user)

An incorrect implementation using a global s_earnTimer state variable allows any user calling buySnow() to reset the earning timer for all users, preventing others from earning Snow even when a full week has passed since their last earn.

In Snow.sol:

function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
i_weth.safeTransferFrom(
msg.sender,
address(this),
(s_buyFee * amount)
);
_mint(msg.sender, amount);
}
//@audit: Resets the global s_earnTimer for ALL users, blocking everyone from earning
@> s_earnTimer = block.timestamp;
emit SnowBought(msg.sender, amount);
}
function earnSnow() external canFarmSnow {
//@audit: Checks the global s_earnTimer that any buySnow() call can reset
@> if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer();
}
_mint(msg.sender, 1);
s_earnTimer = block.timestamp;
console2.log("New s_earnTimer: ", s_earnTimer);
}

Risk

Likelihood:

  • High: Any user purchasing Snow tokens will reset the global timer, and this will happen frequently in normal protocol operation as buying is an expected and encouraged action.

Impact:

  • High: The protocol fails to deliver on its core business requirement that users can "earn Snow for free once a week." Users who legitimately waited the required week are denied their free Snow tokens due to unrelated users' purchase transactions. This breaks the fundamental incentive mechanism and user experience of the protocol.

Proof of Concept

The test demonstrates how a user (Ashley) who should be able to earn Snow after more than 1 week is blocked because another user (Jerry) purchased Snow, resetting the global timer:

function testEarnSnowAfterBuyFails() public {
// Day 0: Victory earns Snow
uint256 initialEarnSnowBalance = snow.balanceOf(victory);
vm.prank(victory);
snow.earnSnow();
uint256 postEarnSnowBalance = snow.balanceOf(victory);
assert(postEarnSnowBalance == initialEarnSnowBalance + 1);
// Day 8: Time passes (8 days later)
vm.warp(block.timestamp + 8 days);
vm.roll(block.number + 100);
// Day 8: Jerry buys Snow, resetting the global s_earnTimer
uint256 initialSnowBalance = snow.balanceOf(jerry);
vm.startPrank(jerry);
weth.approve(address(snow), FEE);
snow.buySnow(1); // This resets s_earnTimer to Day 8
vm.stopPrank();
uint256 postBuySnowBalance = snow.balanceOf(jerry);
assert(postBuySnowBalance == initialSnowBalance + 1);
// Day 10: Only 2 more days pass (total 10 days since Victory's earn)
vm.warp(block.timestamp + 2 days);
vm.roll(block.number + 100);
// Day 10: Ashley tries to earn but FAILS
// Even though 10 days passed since the last earnSnow() call,
// only 2 days passed since Jerry's buySnow() reset the timer
vm.prank(ashley);
vm.expectRevert(Snow.S__Timer.selector);
snow.earnSnow(); // ❌ Reverts incorrectly
}

  • Expected behavior: Ashley should be able to earn Snow on Day 10 (more than 1 week has passed since the last successful earn).

  • Actual behavior: Ashley is blocked because Jerry's purchase on Day 8 reset the global timer, and only 2 days have passed since then.

Recommended Mitigation


Remove the timer reset from buySnow() Following the requirements that Snow tokens can be bought at any time.

function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
i_weth.safeTransferFrom(
msg.sender,
address(this),
(s_buyFee * amount)
);
_mint(msg.sender, amount);
}
- s_earnTimer = block.timestamp;
emit SnowBought(msg.sender, amount);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!