Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Submission Details

Severity: medium

Valid

Use of Dynamic Token Balance in Merkle Verification

nidaabbas066

Description:

Use of Dynamic Token Balance in Merkle Verification

Security impact:

This issue is classified as **high **because it directly breaks the core security assumption of the Merkle-based airdrop mechanism.
The contract relies on dynamic on-chain state (balanceOf) instead of immutable, pre-committed Merkle data, leading to incorrect verification behavior.
The flaw affects the fundamental correctness of the claim process and can result in both denial of service for legitimate users and unintended minting behavior.

Impact:

Incorrect Claim Validation:
Legitimate users may fail to claim their airdropped NFTs if their current token balance differs from the value encoded in the Merkle tree.
State Manipulation Risk:
Users can alter their token balance before calling the claim function, leading to inconsistent or unintended verification outcomes.
Breaks Trust Assumptions:
The integrity of the Merkle tree (which should represent fixed allocation data) is violated, making the airdrop unreliable.
Protocol Integrity Risk:
The contract no longer enforces a deterministic and verifiable distribution, which can damage user trust and protocol correctness.

Proof of Concept

Step-by-Step Exploit / Failure Case

Initial State:

User 0xABC... is eligible to claim 100 tokens worth of NFT allocation.

Merkle tree root includes (0xABC..., 100)

Balance Mainipulation:

Before calling claimSnowman, the user increases their token balance:

Receives or transfers tokens to themselves

New balance becomes 1000

Contract Execution

Inside claimSnowman:

uint256 amount = i_snow.balanceOf(receiver); // returns 1000

Leaf Construction

bytes32 leaf = keccak256(abi.encode(receiver, amount));

This becomes:

keccak256(abi.encode(0xABC..., 1000))

Verification Failure

The contract verifies:

MerkleProof.verify(proof, root, leaf)

But the root was built using:

keccak256(abi.encode(0xABC..., 100))

Result: Verification fails

Recommended Mitigation

remove this:

uint256 amount = i_snow.balanceOf(receiver);

Add this:

function claimSnowman(

address receiver,

uint256 amount, // <-- add static amount from Merkle tree

bytes32[] calldata merkleProof,

uint8 v,

bytes32 r,

bytes32 s

) external nonReentrant {

if (receiver == address(0)) revert SA__ZeroAddress();

if (amount == 0) revert SA__ZeroAmount();

if (s_hasClaimedSnowman[receiver]) revert("Already claimed");

// Verify signature

if (!_isValidSignature(receiver, getMessageHash(receiver, amount), v, r, s)) {

revert SA__InvalidSignature();

}

// Generate leaf from static amount

bytes32 leaf = keccak256(abi.encode(receiver, amount));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

// Transfer tokens & mint NFT

i_snow.safeTransferFrom(receiver, address(this), amount);

s_hasClaimedSnowman[receiver] = true;

emit SnowmanClaimedSuccessfully(receiver, amount);

i_snowman.mintSnowman(receiver, amount);

}

function getMessageHash(address receiver, uint256 amount) public view returns (bytes32) {

if (amount == 0) revert SA__ZeroAmount();

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!