Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Dynamic Balance in Merkle Verification

bravejoy780

Root + Impact

Description

  • Merkle trees are generated at a snapshot point with fixed balances, then verified against static merkle roots.

    The contract uses runtime balance (balanceOf(receiver)) for verification instead of snapshot balance, causing mismatch when balance changes.

// Root cause in the codebase with @> marks to highlight the relevant section
// SnowmanAirdrop.sol
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external {
uint256 amount = i_snow.balanceOf(receiver); // @> Runtime balance, not snapshot balance
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { // @> Fails if balance changed
revert SA__InvalidProof();
}
}

Risk

Likelihood:

  • Any token transfer between merkle tree generation and claim execution triggers this bug.

  • Users naturally receive/send tokens in normal DeFi operations before claiming.

Impact:

  • Legitimate claims fail when user balance changes, permanently locking them out if signature was pre-generated.

  • Griefing attack: anyone can send 1 wei to a claimer to DoS their claim.

Proof of Concept

  • Merkle tree generated with user having 100 tokens, user transfers tokens before claiming, balance now differs from snapshot.

  • Merkle verification fails because computed leaf hash uses current balance (90) but tree expects snapshot balance (100).

// Merkle tree generated with Alice having 100 tokens, then Alice transfers 10 tokens before claiming.
// Claim reverts with SA__InvalidProof because leaf hash uses 90 tokens but merkle root expects 100 tokens.
function test_BalanceChangeBreaksClaim() public {
// Merkle tree generated with Alice having 100 tokens
bytes32 merkleRoot = generateTree(alice, 100);
// Alice transfers 10 tokens before claiming
vm.prank(alice);
snow.transfer(bob, 10);
// Alice tries to claim with valid merkle proof
vm.prank(alice);
airdrop.claimSnowman(alice, proof, v, r, s);
// Reverts: SA__InvalidProof (balance now 90, not 100)
}

Recommended Mitigation

Pass amount as function parameter instead of reading dynamic balance, verify user has sufficient balance at claim time.

- remove this code
+ add this code
-function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external {
+function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external {
- uint256 amount = i_snow.balanceOf(receiver);
+ if (i_snow.balanceOf(receiver) < amount) revert SA__InsufficientBalance();
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 13 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.&#x20; ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!