Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Typo in MESSAGE_TYPEHASH (Line: bytes32 private constant MESSAGE_TYPEHASH)

jasmine_cyfrin

Root + Impact

Description

"addres" should be "address". This means the EIP-712 typehash computed on-chain will never match what any standard EIP-712 client generates for signing. All legitimate signatures will be rejected, completely breaking the claim-on-behalf functionality.

bytes32 private constant MESSAGE_TYPEHASH =

keccak256("SnowmanClaim(addres receiver, uint256 amount)");

// ^^^^^^^ MISSING AN 's'

Risk

Impact:

"addres" should be "address". This means the EIP-712 typehash computed on-chain will never match what any standard EIP-712 client generates for signing. All legitimate signatures will be rejected, completely breaking the claim-on-behalf functionality.

Proof of Concept

every signature verification will fail, making the airdrop completely unusable. Off-chain signers (frontends, scripts) will use the correct EIP-712 type string with "address", but the contract hashes a different string with "addres". The two hashes will never match, so every legitimately signed claim will be rejected.

The test test_validSignatureReverts shows that even a perfectly valid EIP-712 signature — signed by the correct private key — is rejected by the contract. No user can ever claim their airdrop.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console} from "forge-std/Test.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {Snowman} from "../src/Snowman.sol";

import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";

import {MessageHashUtils} from "@openzeppelin/contracts/utils/cryptography/MessageHashUtils.sol";

contract TypehashTypoTest is Test {

SnowmanAirdrop airdrop;

Snowman snowman;

uint256 signerPrivateKey = 0xabc123;

address signer;

address receiver = makeAddr("receiver");

uint256 claimAmount = 1e18;

// The CORRECT typehash that any standard EIP-712 signer would use

bytes32 constant CORRECT_TYPEHASH =

keccak256("SnowmanClaim(address receiver, uint256 amount)");

// The BUGGY typehash that lives in the contract (typo: "addres")

bytes32 constant BUGGY_TYPEHASH =

keccak256("SnowmanClaim(addres receiver, uint256 amount)");

function setUp() public {

signer = vm.addr(signerPrivateKey);

// Deploy contracts (assuming constructor takes token + signer)

snowman = new Snowman();

airdrop = new SnowmanAirdrop(address(snowman), signer);

// Fund the airdrop contract with tokens

snowman.mintSnowman(address(airdrop), 100e18);

}

function test_typehashesAreDifferent() public pure {

// Prove the two hashes are NOT equal

assert(CORRECT_TYPEHASH != BUGGY_TYPEHASH);

console.log("Correct typehash:");

console.logBytes32(CORRECT_TYPEHASH);

console.log("Buggy typehash (in contract):");

console.logBytes32(BUGGY_TYPEHASH);

}

function test_validSignatureReverts() public {

// 1. Build the struct hash THE CORRECT WAY (as any frontend would)

bytes32 structHash = keccak256(

abi.encode(CORRECT_TYPEHASH, receiver, claimAmount)

);

// 2. Build the EIP-712 digest using the airdrop's domain separator

bytes32 digest = MessageHashUtils.toTypedDataHash(

airdrop.getDomainSeparator(),

structHash

);

// 3. Sign with the authorized signer

(uint8 v, bytes32 r, bytes32 s) = vm.sign(signerPrivateKey, digest);

// 4. Attempt to claim — this WILL REVERT because the contract

// internally rebuilds the struct hash using BUGGY_TYPEHASH,

// producing a different digest, so ecrecover returns the wrong address.

vm.prank(receiver);

vm.expectRevert(); // signature mismatch → revert

airdrop.claimSnowman(receiver, claimAmount, v, r, s);

}

Recommended Mitigation

Fix the typo from addres to address: That single missing s causes the keccak256 output to be entirely different, which breaks the entire EIP-712 signature verification flow. After the fix, the on-chain typehash will match what any standard EIP-712 library (ethers.js, viem, etc.) produces off-chain, and signature verification will work as intended.

// Before (buggy)

bytes32 private constant MESSAGE_TYPEHASH =

keccak256("SnowmanClaim(addres receiver, uint256 amount)");

// After (fixed)

bytes32 private constant MESSAGE_TYPEHASH =

keccak256("SnowmanClaim(address receiver, uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!