Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

Unfair Time-Based Distribution

bravejoy780

Root + Impact

Description

Airdrop distributions should be based on fair, predetermined criteria like snapshot balances or participation metrics.

The distribution is determined by arbitrary time warping during script execution, where each user earns tokens at different timestamps (1 week apart), creating inconsistent and unpredictable amounts.

// Helper.sol

vm.prank(alice);

snow.earnSnow();

aliceSB = snow.balanceOf(alice); // @> Alice earns at T0

vm.warp(block.timestamp + 1 weeks); // @> Arbitrary time manipulation

vm.prank(bob);

snow.earnSnow(); // @> Bob earns at T0 + 1 week

bobSB = snow.balanceOf(bob); // @> Different amount due to time difference

Risk

Likelihood:

The script always executes in this sequential order with time warps
If earnSnow() has time-dependent logic, amounts will differ

Impact:

Unfair distribution not based on merit or actual user activity
Airdrop amounts determined by script execution order, not design

Proof of Concept

Run Helper.run() and compare aliceSB vs eliSB - if earnSnow() is time-dependent, Eli receives different (likely more) tokens simply because the script warps time 4 weeks forward before his call.

function testUnfairDistribution() public {

Helper helper = new Helper();

helper.run();

// Assuming earnSnow() gives more tokens based on block.timestamp

assertTrue(helper.eliSB() > helper.aliceSB()); // Eli benefits from later timestamp

}

Recommended Mitigation

Remove time warps and use predetermined fixed amounts (e.g., snowAmountAlice = 100e18) or read balances from actual historical on-chain snapshots.

- remove this code

+ add this code

- vm.warp(block.timestamp + 1 weeks);

- vm.prank(bob);

- snow.earnSnow();

+ // Use fixed amounts or snapshot from real on-chain state

+ snowAmountAlice = 100e18; // Predetermined fair amounts

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 13 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!