Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Balance-Dependent Signature and Merkle Verification Breaks Claim Mechanism When Snow Token

akovachev7

Root + Impact

Description

According to the business requirements, users should be able to:

Earn Snow tokens for free once a week during the 12-week farming period
Buy Snow tokens at anytime during the farming period
Stake their Snow tokens in the SnowmanAirdrop contract to receive Snowman NFTs

However, the SnowmanAirdrop contract uses the current Snow token balance for both signature validation and merkle leaf generation during the claim process. This creates a critical mismatch because:

The merkle tree is generated off-chain with fixed (address, amount) pairs at a specific point in time
Users sign messages with their balance at the time of signing
Claim verification uses the balance at the time of claiming

If a user's Snow token balance changes between merkle tree generation and claim execution (by earning, buying, or transferring tokens), both the signature validation and merkle proof verification will fail, making it impossible to claim their NFTs.

In SnowmanAirdrop.sol - Balance-dependent message hash:

function getMessageHash(address receiver) public view returns (bytes32) {

if (i_snow.balanceOf(receiver) == 0) {

revert SA__ZeroAmount();

}

//@audit: Uses CURRENT balance - will differ from signed balance if user earns/buys more tokens

@> uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

In SnowmanAirdrop.sol:69-98 - Balance-dependent claim verification:

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external

nonReentrant

{

if (receiver == address(0)) {

revert SA__ZeroAddress();

}

if (i_snow.balanceOf(receiver) == 0) {

revert SA__ZeroAmount();

}

//@audit: Signature was created with OLD balance, but validation uses CURRENT balance

@> if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {

revert SA__InvalidSignature(); // ❌ Will revert if balance changed

}

//@audit: Gets CURRENT balance instead of the balance used in merkle tree

@> uint256 amount = i_snow.balanceOf(receiver);

//@audit: Generates leaf with CURRENT balance, but merkle tree was built with ORIGINAL balance

@> bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

//@audit: Proof fails because leaf doesn't match any leaf in the pre-computed merkle tree

@> if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof(); // ❌ Will revert if balance changed

}

i_snow.safeTransferFrom(receiver, address(this), amount);

s_hasClaimedSnowman[receiver] = true;

emit SnowmanClaimedSuccessfully(receiver, amount);

i_snowman.mintSnowman(receiver, amount);

}

The protocol encourages users to accumulate Snow tokens (earn weekly, buy anytime), but doing so breaks the claiming mechanism entirely.

Risk

Likelihood:

High: The vulnerability is guaranteed to occur in normal protocol operation:

12-week farming period means users WILL earn additional Snow tokens (once per week)
Users are incentivized to buy Snow tokens to increase their NFT allocation
Any token transfer changes the balance
The protocol explicitly allows and encourages these actions
Time delay between merkle tree generation and claiming is unavoidable

Impact:

Critical: Complete protocol failure affecting core functionality

Users cannot claim Snowman NFTs if their Snow balance changes after merkle tree generation
The main value proposition (earn/buy Snow → stake for NFTs) is broken
Users must have EXACTLY the same balance as recorded in the merkle tree
No recovery mechanism exists - signatures and merkle proofs become permanently invalid
All users who follow the intended protocol flow (earning/buying Snow) are affected
12-week farming period makes this issue unavoidable for active participants
Protocol becomes non-functional for its stated purpose

Proof of Concept

The test demonstrates that when a user's balance changes after signing, the claim fails even with valid merkle proof and signature:

function testClaimSnowmanSignitureFailsAfterBalanceChange() public {

// Alice has balance = 1 (from setup/merkle tree generation)

assert(nft.balanceOf(alice) == 0);

vm.prank(alice);

snow.approve(address(airdrop), 1);

// Alice generates message hash and signature with balance = 1

bytes32 alDigest = airdrop.getMessageHash(alice);

(uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest);

// Time passes (1 week)

vm.warp(block.timestamp + 1 weeks);

vm.roll(block.number + 100);

// Alice earns more Snow tokens (following protocol design)

// Her balance is now 2 instead of 1

vm.startPrank(alice);

snow.earnSnow(); // ❌ Balance changed from 1 to 2

snow.approve(address(airdrop), 1);

vm.stopPrank();

// Satoshi attempts to claim on behalf of Alice using her valid signature and proof

vm.prank(satoshi);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); // ❌ REVERTS!

// Result: Alice CANNOT claim despite:

// ✓ Having valid merkle proof from original tree

// ✓ Having valid signature she created

// ✓ Owning Snow tokens

// ✓ Following the protocol's intended behavior (earning weekly)

}

Expected behavior: Alice should be able to claim her Snowman NFT after earning additional Snow tokens, as this is the intended protocol flow.

Actual behavior: The claim transaction reverts with SA__InvalidSignature because:

The signature was created when amount = 1
The verification uses current balance where amount = 2
The signature check: keccak256(receiver, 1) ≠ keccak256(receiver, 2)
Even if signature passed, merkle verification would fail for the same reason

Attack scenario / Normal usage scenario:

// Week 0: Merkle tree generated with alice balance = 1

// Week 1: Alice signs message with balance = 1

// Week 2: Alice earns more Snow (balance = 2)

// Week 3: Alice tries to claim → ❌ FAILS (signature invalid)

// OR

// Week 0: Merkle tree generated with bob balance = 1

// Week 1: Bob buys more Snow (balance = 1000)

// Week 2: Bob signs and tries to claim → ❌ FAILS (merkle proof invalid)

Recommended Mitigation

Pass the amount as a parameter.

Modify the contract to accept the amount as a parameter rather than reading the current balance. This allows users to claim based on their balance at the time of merkle tree generation:

function claimSnowman(

address receiver,

+ uint256 amount,

bytes32[] calldata merkleProof,

uint8 v,

bytes32 r,

bytes32 s

) external nonReentrant {

if (receiver == address(0)) {

revert SA__ZeroAddress();

}

+ if (amount == 0) {

+ revert SA__ZeroAmount();

+ }

- if (i_snow.balanceOf(receiver) == 0) {

- revert SA__ZeroAmount();

- }

+ // Ensure user has at least the claimed amount

+ if (i_snow.balanceOf(receiver) < amount) {

+ revert SA__InsufficientBalance();

+ }

- if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {

+ bytes32 messageHash = _getMessageHash(receiver, amount);

+ if (!_isValidSignature(receiver, messageHash, v, r, s)) {

revert SA__InvalidSignature();

}

- uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

i_snow.safeTransferFrom(receiver, address(this), amount);

s_hasClaimedSnowman[receiver] = true;

emit SnowmanClaimedSuccessfully(receiver, amount);

i_snowman.mintSnowman(receiver, amount);

}

-function getMessageHash(address receiver) public view returns (bytes32) {

+function getMessageHash(address receiver, uint256 amount) public pure returns (bytes32) {

- if (i_snow.balanceOf(receiver) == 0) {

- revert SA__ZeroAmount();

- }

- uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

+function _getMessageHash(address receiver, uint256 amount) internal view returns (bytes32) {

+ return _hashTypedDataV4(

+ keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

+ );

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!