Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Missing Merkle Root Configuration

bravejoy780

Root + Impact

Description

After generating the Merkle tree, the root hash should be set in the `SnowmanAirdrop` contract so it can verify user claims.

The SnowMerkle script generates a Merkle root and saves it to output.json, but this root is never actually set in the SnowmanAirdrop contract, making proof verification impossible.

// SnowMerkle.sol

function run() public {

// ... generate Merkle tree ...

string memory root = vm.toString(m.getRoot(leafs)); // @> Root calculated

vm.writeFile(string.concat(vm.projectRoot(), outputPath), output); // @> Only saved to file

// @> Never set in the airdrop contract!

}

Risk

Likelihood:

The workflow always writes root to JSON but never sets it in the contract
No code exists anywhere to read the JSON and update the contract

Impact:

All claim attempts will fail due to missing/incorrect Merkle root
Airdrop contract cannot verify any proofs

Proof of Concept

Deploy the airdrop contract through Helper and check its Merkle root state variable - it will be uninitialized (bytes32(0)) because no script sets it after SnowMerkle generates the root.

function testMissingMerkleRoot() public {

(SnowmanAirdrop airdrop,,) = new Helper().helper();

bytes32 rootInContract = airdrop.getMerkleRoot(); // Assuming this getter exists

assertEq(rootInContract, bytes32(0)); // Root was never set!

}

Recommended Mitigation

Add a configuration step in DeploySnowmanAirdrop to read the root from output.json and call airdrop.setMerkleRoot(root) after deployment.

- remove this code

+ add this code

function testMissingMerkleRoot() public {

(SnowmanAirdrop airdrop,,) = new Helper().helper();

bytes32 rootInContract = airdrop.getMerkleRoot(); // Assuming this getter exists

assertEq(rootInContract, bytes32(0)); // Root was never set!

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 13 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!