Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

SnowmanAirdrop.sol::claimSnowman() sets s_hasClaimedSnowman but never checks it

mr_hacker

Description (Root + Impact)

Description:
The claimSnowman() function sets s_hasClaimedSnowman[receiver] = true at line 94, but this mapping is never checked before processing a claim. The function exists (getClaimStatus()) to read the value but it's never used as a guard.
Impact:

  • If tokens are somehow re-sent to a user's wallet after claiming, they could potentially claim again

  • The claim tracking system is architecturally broken

  • Wastes gas on a storage write that serves no purpose

  • Creates false sense of security for protocol operators

Root Cause (Solidity box)

// @> In SnowmanAirdrop.sol:69-99, the s_hasClaimedSnowman check is MISSING
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
// @> MISSING: if (s_hasClaimedSnowman[receiver]) revert AlreadyClaimed();
if (receiver == address(0)) {
revert SA__ZeroAddress();
}
// ... more validation logic ...
// @> Line 94: Sets the flag but it's NEVER checked above!
s_hasClaimedSnowman[receiver] = true;
}

Risk

Likelihood:

  • The vulnerability exists in every claim transaction

  • Any user who receives tokens again can potentially exploit

  • No special setup or timing required
    Impact:

  • Double-claiming drains protocol of NFTs

  • Breaks the 1:1 token-to-NFT ratio

  • State tracking is unreliable

Proof of Concept (Solidity box)

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test, console2} from "forge-std/Test.sol";
import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";
import {Snow} from "../src/Snow.sol";
import {Snowman} from "../src/Snowman.sol";
contract MissingClaimGuardPOC is Test {
SnowmanAirdrop airdrop;
Snow snow;
Snowman nft;
address alice;
uint256 aliceKey;
bytes32[] AL_PROOF;
function setUp() public {
// ... setup code ...
}
function testH01_MissingClaimGuardCheck() public {
// Step 1: Check initial claim status
bool initialStatus = airdrop.getClaimStatus(alice);
assertFalse(initialStatus, "Alice should not have claimed yet");
console2.log("Step 1 - Initial claim status:", initialStatus);
// Step 2: Alice approves tokens for transfer
vm.prank(alice);
snow.approve(address(airdrop), 1);
console2.log("Step 2 - Alice approved 1 Snow token");
// Step 3: Generate signature for claim
bytes32 digest = airdrop.getMessageHash(alice);
(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, digest);
console2.log("Step 3 - Generated signature for claim");
// Step 4: Execute claim
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
console2.log("Step 4 - Claim executed successfully");
// Step 5: Verify claim status is now true
bool finalStatus = airdrop.getClaimStatus(alice);
assertTrue(finalStatus, "Alice should be marked as claimed");
console2.log("Step 5 - Final claim status:", finalStatus);
// Step 6: DEMONSTRATE THE BUG - The status was SET but never CHECKED
// If we look at claimSnowman(), there is NO check like:
// if (s_hasClaimedSnowman[receiver]) revert AlreadyClaimed();
console2.log("BUG: s_hasClaimedSnowman is SET but NEVER CHECKED before claim!");
console2.log("If Alice receives more tokens, nothing prevents her from claiming again.");
}
}

Steps to reproduce:

  1. Deploy contracts and setup merkle tree

  2. User claims successfully (status set to true)

  3. Observe that getClaimStatus() returns true

  4. Code review confirms the status is never checked before processing
    Run command: forge test --match-test testH01_MissingClaimGuardCheck -vvv

Recommended Mitigation (diff box)

contract SnowmanAirdrop is EIP712, ReentrancyGuard {
// ... existing errors ...
+ error SA__AlreadyClaimed();
function claimSnowman(
address receiver,
bytes32[] calldata merkleProof,
uint8 v,
bytes32 r,
bytes32 s
)
external
nonReentrant
{
+ // CHECK: Prevent double claims
+ if (s_hasClaimedSnowman[receiver]) {
+ revert SA__AlreadyClaimed();
+ }
+
if (receiver == address(0)) {
revert SA__ZeroAddress();
}
// ... rest of function ...
}
}

Mitigation explanation:

  1. Add SA__AlreadyClaimed custom error for gas-efficient reverts

  2. Add check at the START of claimSnowman() before any other logic

  3. Revert immediately if s_hasClaimedSnowman[receiver] is true

  4. This follows the Checks-Effects-Interactions pattern

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 10 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol  ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!