Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Snow.sol::earnSnow() uses global timer allowing one user to block all others

mr_hacker

Description (Root + Impact)

Description:
The earnSnow() function uses a single global s_earnTimer variable. When any user earns Snow, the timer resets for ALL users, not just that user. This allows a malicious actor to repeatedly claim every week and permanently block everyone else from earning free Snow.
Impact:

Griefing attack: one user can block all free Snow earnings for everyone
Attack cost is minimal (just gas) and attacker gets 1 Snow as reward
Breaks the intended weekly free token distribution mechanism
Only users who pay for tokens can acquire Snow

Root Cause (Solidity box)

// @> In Snow.sol:92-99, s_earnTimer is GLOBAL, not per-user

function earnSnow() external canFarmSnow {

// @> This check uses a GLOBAL timer that affects ALL users

if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

// @> This resets the timer for EVERYONE, not just msg.sender

s_earnTimer = block.timestamp;

}

// Note: s_earnTimer is declared as:

// uint256 private s_earnTimer; // <-- GLOBAL variable, not a mapping!

Risk

Likelihood:

Any user calling earnSnow() triggers this for everyone
Attacker is actually rewarded (gets 1 Snow token per week)
Very cheap to execute (only gas cost)
Impact:
Complete Denial of Service on free token distribution
Only paying users can acquire Snow tokens
Protocol's free distribution feature is completely broken

Proof of Concept (Solidity box)

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {DeploySnow} from "../script/DeploySnow.s.sol";

contract GlobalTimerGriefingPOC is Test {

Snow snow;

address attacker;

address victim1;

address victim2;

function setUp() public {

DeploySnow deployer = new DeploySnow();

snow = deployer.run();

attacker = makeAddr("attacker");

victim1 = makeAddr("victim1");

victim2 = makeAddr("victim2");

}

function testM02_GlobalTimerGriefing() public {

// Step 1: Warp to a time when earning is allowed

vm.warp(block.timestamp + 1 weeks + 1);

console2.log("Step 1 - Time warped to allow earning");

// Step 2: Attacker earns Snow (this resets GLOBAL timer)

vm.prank(attacker);

snow.earnSnow();

console2.log("Step 2 - Attacker earned 1 Snow token");

console2.log(" Attacker balance:", snow.balanceOf(attacker));

// Step 3: Victim1 tries to earn 1 second later - BLOCKED!

vm.warp(block.timestamp + 1);

vm.prank(victim1);

vm.expectRevert(); // Reverts with S__Timer()

snow.earnSnow();

console2.log("Step 3 - Victim1 BLOCKED from earning (reverted)");

// Step 4: Victim2 tries 3 days later - STILL BLOCKED!

vm.warp(block.timestamp + 3 days);

vm.prank(victim2);

vm.expectRevert(); // Still reverts with S__Timer()

snow.earnSnow();

console2.log("Step 4 - Victim2 BLOCKED even 3 days later (reverted)");

// Step 5: Show final balances

console2.log("");

console2.log("FINAL BALANCES:");

console2.log("- Attacker:", snow.balanceOf(attacker), "Snow");

console2.log("- Victim1: ", snow.balanceOf(victim1), "Snow");

console2.log("- Victim2: ", snow.balanceOf(victim2), "Snow");

console2.log("");

console2.log("GRIEFING SUCCESS: Attacker blocked ALL victims from free tokens!");

}

function testM02_SustainedGriefingOver4Weeks() public {

address freshVictim = makeAddr("freshVictim");

vm.warp(block.timestamp + 1 weeks + 1);

// Attacker griefs for 4 consecutive weeks

for (uint256 week = 1; week <= 4; week++) {

vm.prank(attacker);

snow.earnSnow();

console2.log("Week", week, "- Attacker earned, victim blocked");

vm.warp(block.timestamp + 1 weeks);

}

assertEq(snow.balanceOf(attacker), 4, "Attacker got 4 Snow");

assertEq(snow.balanceOf(freshVictim), 0, "Victim got 0 Snow");

}

Steps to reproduce:

Attacker calls earnSnow() to reset global timer
Any other user trying to call earnSnow() within 1 week reverts
Attacker repeats every week to permanently block others
Attack is profitable: attacker earns 1 Snow per week
Run command: forge test --match-test testM02 -vvv

Recommended Mitigation (diff box)

contract Snow is ERC20, Ownable {

// ... existing variables ...

- uint256 private s_earnTimer;

+ mapping(address => uint256) private s_earnTimer;

// ... existing code ...

function earnSnow() external canFarmSnow {

- if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

+ if (s_earnTimer[msg.sender] != 0 && block.timestamp < (s_earnTimer[msg.sender] + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

- s_earnTimer = block.timestamp;

+ s_earnTimer[msg.sender] = block.timestamp;

}

+ // Optional: Add getter for user's timer

+ function getEarnTimer(address user) external view returns (uint256) {

+ return s_earnTimer[user];

+ }

}

Mitigation explanation:

Change s_earnTimer from uint256 to mapping(address => uint256)
Each user now has their own independent cooldown timer
User A earning Snow no longer affects User B's ability to earn
Add optional getter function for transparency

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 10 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!