Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-03] EIP-712 typehash deviates from canonical format ("addres" + space) — breaks all standard-wallet signatures

cthan

[H-03] EIP-712 typehash deviates from canonical format ("addres" + space) — breaks all standard-wallet signatures

Description

SnowmanAirdrop.MESSAGE_TYPEHASH is computed from a typestring that diverges from the EIP-712 canonical format in two ways:

// src/SnowmanAirdrop.sol:49

bytes32 private constant MESSAGE_TYPEHASH = keccak256(

"SnowmanClaim(addres receiver, uint256 amount)"

);

EIP-712 specifies the canonical form "TypeName(type1 name1,type2 name2)" — exact field types, no whitespace except the single space between type and name. The contract violates this in two places:

Spelling: addres instead of address (missing 's')
Spacing: , uint256 (extra space after comma) instead of ,uint256

Either deviation alone produces a different keccak256 digest than the canonical typehash. Both together definitely do.

When a user signs a Snowman claim through MetaMask, ethers.js, viem, Rabby, or a hardware wallet (Ledger/Trezor), the wallet computes the digest using the canonical typestring "SnowmanClaim(address receiver,uint256 amount)". That digest does NOT match the contract's broken MESSAGE_TYPEHASH. The on-chain ECDSA.tryRecover (line 107) returns an address different from receiver, the equality check at line 108 fails, and claimSnowman reverts with SA__InvalidSignature.

The only way to produce a signature the contract will accept is to manually construct the typed-data digest in custom code that mirrors the typo and the extra space — which no standard wallet does.

Risk

Likelihood: High — the bug fires deterministically on every claim attempt that uses standard EIP-712 tooling, which is the documented "claim on behalf" UX.
Impact: High — the protocol's headline "claim on behalf" feature (per README: "Recipients can either claim a Snowman NFT themselves, or have someone claim on their behalf using the recipient's v, r, s signatures") is broken for every user with a standard wallet.
Risk = Likelihood × Impact = High

Impact

Every recipient of the airdrop who attempts to delegate their claim through any standard wallet — MetaMask, Rabby, ethers.js, viem, hardware wallet — produces signatures that revert on-chain. The "claim on behalf" feature is functionally dead for all production-tooling users. The only working path requires hand-rolling signing code that mirrors the contract's broken typestring, which excludes virtually all UX integrations (gasless claims, account abstraction, third-party submitters, dApp frontends).

Proof of Concept

Full PoC at .audit/poc/PoC_H-03.t.sol. The key test function (the second test in the file is a control proving the bug is isolated to the typehash):

function test_CanonicalSignature_IsRejected() public {

// ARRANGE: alice has Snow (minted via Helper); approval set in setUp.

uint256 amount = snow.balanceOf(alice);

assertGt(amount, 0, "alice must have Snow for the signature check to be reached");

// Compute the digest the way a standard wallet would — using the CANONICAL typehash

// ("SnowmanClaim(address receiver,uint256 amount)" — no typo, no space).

bytes32 canonicalDigest = _buildDigest(CANONICAL_MESSAGE_TYPEHASH, alice, amount);

// Alice signs with her private key (standard wallet behaviour).

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, canonicalDigest);

// ACT + ASSERT: claim must revert because the contract computes a DIFFERENT digest

// (using the broken typehash) and recovery yields a wrong address.

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, aliceProof, v, r, s);

assertEq(nft.balanceOf(alice), 0, "alice should not have received any NFT");

}

Test passes inside hardened audit container (forge exit 0). The canonical EIP-712 signature — exactly what every standard wallet produces — is rejected. The companion control test in the file proves a signature using the broken typestring IS accepted, isolating the bug to the typehash constant.

Recommended Mitigation

Fix the typestring to canonical EIP-712 form — both the typo and the extra space:

bytes32 private constant MESSAGE_TYPEHASH = keccak256(

"SnowmanClaim(address receiver,uint256 amount)"

);

After the fix, all EIP-712-compliant wallets produce signatures the contract accepts. Add a unit test that signs a claim using vm.sign against an independently-computed canonical typehash and asserts on-chain recovery matches receiver — this catches future regressions if the typestring is edited.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!