Global s_earnTimer variable causes complete Denial of Service (DoS) for all free token claims
Root + Impact
Description
-
The protocol intends to allow every individual user to claim one free
Snowtoken per week via theearnSnow()function, using a cooldown timer to prevent spam. -
The
s_earnTimerstate variable used to enforce this cooldown is implemented as a single, globaluint256rather than a user-specific mapping. Because of this, the timer is globally overwritten every time any user callsearnSnow()orbuySnow(), permanently bricking the claim mechanic for the rest of the entire user base.
Risk
Likelihood:
-
Occurs immediately after the very first user successfully claims a free token.
-
Occurs immediately every time any user purchases a token using ETH or WETH.
Impact:
-
Complete Denial of Service (DoS) of the free token farming mechanic.
-
Loss of core protocol functionality, making it mathematically impossible for the user base to earn tokens as advertised.
Proof of Concept
Narrative Setup: The following Foundry test proves that a single user interacting with the protocol permanently blocks all other users from utilizing the earnSnow() mechanic.
Execution Steps:
We simulate a normal user (Ashley) claiming her free weekly token.
We advance the blockchain time by 1 day.
We simulate a completely new user (Jerry) attempting to claim a token.
The test expects Jerry's transaction to revert with
S__Timer(), proving he is blocked by Ashley's action.The second test proves that purchasing tokens via
buySnowalso globally resets the timer for free claims.
How to run this test: Place the following code inside the protocol's existing TestSnow.t.sol file and execute: forge test --match-test test_POC_ -vvv
Recommended Mitigation
Architectural Fix: To enforce a per-user cooldown, the state architecture must be changed from a single global variable to a mapping. This ensures every address has its own independent timer state.
Additionally, the state update inside buySnow() must be completely removed. Purchasing a token should have no mechanical link to the free-claim cooldown timer.
This fix adds a negligible amount of gas overhead (standard SSTORE mapping costs) but fundamentally restores the core business logic of the protocol.
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.