Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Global Timer Implementation Prevents Multiple Users from Earning Snow Tokens

comfortnurse021

The earnSnow() function allows users to claim 1 free Snow token once per week during the farming period. This is intended to provide equitable distribution and prevent abuse.
The implementation uses a single global s_earnTimer variable instead of per-user timers. When any user calls earnSnow(), the timer resets for everyone, preventing other users from claiming their weekly free tokens.

https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/Snow.sol#L94

Risk

Likelihood: High

Every time a user successfully claims their free token, the timer resets for all users
As more users participate, the probability of users being unable to claim increases
The timer check occurs on every earnSnow() call, affecting all users equally

Impact: Medium

Legitimate users are unfairly blocked from claiming free tokens they're entitled to
Violates the "once per week per user" promise stated in requirements
Creates user frustration and potential loss of trust in the protocol

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

contract SnowTest is Test {

Snow public snow;

address public weth = address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);

address public collector = address(0xCollector);

address public alice = makeAddr("alice");

address public bob = makeAddr("bob");

address public charlie = makeAddr("charlie");

function setUp() public {

vm.deal(collector, 100 ether);

snow = new Snow(weth, 0.001 ether, collector);

vm.deal(alice, 10 ether);

vm.deal(bob, 10 ether);

vm.deal(charlie, 10 ether);

}

function test_GlobalTimerBug_PreventMultipleUsers() public {

console.log("=== Testing Global Timer Bug ===");

console.log("Expected: Each user can claim once per week");

console.log("Actual: Global timer prevents multiple users from claiming");

console.log("");

console.log("Day 0: Contract deployed");

vm.warp(1 days);

console.log("\nDay 1: Alice attempts to claim Snow...");

vm.prank(alice);

snow.earnSnow();

console.log("Alice successfully claims 1 Snow");

console.log("Alice Snow balance:", snow.balanceOf(alice));

vm.warp(2 days);

console.log("\nDay 2: Bob attempts to claim Snow...");

vm.prank(bob);

try snow.earnSnow() {

console.log(" BUG: Bob successfully claimed (should have failed with current implementation)");

} catch {

console.log(" Demonstration: Bob's claim fails due to global timer");

console.log(" This is the bug! Bob should be able to claim.");

}

vm.warp(3 days);

console.log("\nDay 3: Charlie attempts to claim Snow...");

vm.prank(charlie);

try snow.earnSnow() {

console.log(" BUG: Charlie successfully claimed");

} catch {

console.log(" Demonstration: Charlie's claim also fails");

console.log(" All users blocked by single timer");

}

vm.warp(8 days);

console.log("\nDay 8: Bob attempts again (1 week after Alice's claim)...");

vm.prank(bob);

snow.earnSnow();

console.log(" Bob successfully claims 1 Snow");

console.log("Bob Snow balance:", snow.balanceOf(bob));

vm.warp(9 days);

console.log("\nDay 9: Alice attempts to claim again...");

vm.prank(alice);

try snow.earnSnow() {

console.log(" BUG: Alice successfully claimed again");

} catch {

console.log(" Demonstration: Alice's claim fails");

console.log(" Timer reset by Bob blocks Alice");

}

function test_CorrectBehavior_WithFixedImplementation() public {

console.log("\);

mapping(address => uint256) userTimers;

uint256 currentTime = 0;

currentTime = 1 days;

console.log("\nDay 1: Alice claims Snow");

require(userTimers[alice] == 0 || currentTime >= userTimers[alice] + 1 weeks, "Timer check");

userTimers[alice] = currentTime;

console.log(" Alice claims successfully");

currentTime = 2 days;

console.log("\nDay 2: Bob claims Snow");

require(userTimers[bob] == 0 || currentTime >= userTimers[bob] + 1 weeks, "Timer check");

userTimers[bob] = currentTime;

console.log("Bob claims successfully");

currentTime = 3 days;

console.log("\nDay 3: Charlie claims Snow");

require(userTimers[charlie] == 0 || currentTime >= userTimers[charlie] + 1 weeks, "Timer check");

userTimers[charlie] = currentTime;

console.log(" Charlie claims successfully");

currentTime = 4 days;

console.log("\nDay 4: Alice tries to claim again");

bool aliceCanClaim = userTimers[alice] == 0 || currentTime >= userTimers[alice] + 1 weeks;

console.log("Alice can claim:", aliceCanClaim ? "Yes" : "No");

console.log(" Correctly fails - Alice must wait 1 week from Day 1");

currentTime = 8 days;

console.log("\nDay 8: Alice tries to claim again");

aliceCanClaim = userTimers[alice] == 0 || currentTime >= userTimers[alice] + 1 weeks;

console.log("Alice can claim:", aliceCanClaim ? "Yes" : "No");

console.log(" Correctly succeeds - 1 week has passed");

console.log("\n=== EXPECTED BEHAVIOR ===");

console.log("Each user can claim independently once per week.");

console.log("User A's claim does not affect User B's eligibility.");

}

function test_EdgeCases() public {

console.log("\n=== Testing Edge Cases ===");

console.log("\nTest: Multiple users in same timestamp");

uint256 startTime = 1 days;

vm.warp(startTime);

vm.prank(alice);

snow.earnSnow();

console.log("Alice claims at timestamp:", startTime);

vm.prank(bob);

try snow.earnSnow() {

console.log(" Bob claimed in same timestamp - bug!");

} catch {

console.log(" Bob correctly blocked (same timestamp)");

}

console.log("\nTest: Exactly 1 week later");

vm.warp(startTime + 1 weeks);

vm.prank(bob);

snow.earnSnow();

console.log("Bob claims exactly 1 week later");

console.log("\nTest: After farming period");

(, bytes memory data) = address(snow).call(abi.encodeWithSignature("i_farmingOver()"));

uint256 farmingOver = abi.decode(data, (uint256));

vm.warp(farmingOver + 1);

vm.prank(charlie);

try snow.earnSnow() {

console.log("Claim succeeded after farming ended");

} catch {

console.log(" Correctly blocked after farming period");

}

function test_StatisticalImpact() public {

console.log("\n=== Statistical Impact Analysis ===");

uint256 userCount = 100;

uint256 farmingDuration = 12 weeks;

uint256 startTime = 0;

uint256 totalClaimsWithBug = farmingDuration / 1 weeks;

console.log("With BUG (global timer):");

console.log(" Total possible claims:", totalClaimsWithBug);

console.log(" Average claims per user:", totalClaimsWithBug * 1e18 / userCount / 1e18);

console.log(" Missed claims:", userCount * 12 - totalClaimsWithBug);

uint256 totalClaimsWithoutBug = userCount * 12;

console.log("\nWithout bug (per-user timer):");

console.log(" Total possible claims:", totalClaimsWithoutBug);

console.log(" Average claims per user: 12");

console.log(" Missed claims: 0");

console.log("\nImpact: Users lose", 12 - totalClaimsWithBug / userCount, "out of 12 possible claims on average");

}

Recommended Mitigation

mapping(address => uint256) private s_userEarnTimers;

Modify earnSnow function

function earnSnow() external canFarmSnow {

uint256 lastEarn = s_userEarnTimers[msg.sender];

if (lastEarn != 0 && block.timestamp < lastEarn + 1 weeks) {

revert S__Timer();

}

_mint(msg.sender, 1);

s_userEarnTimers[msg.sender] = block.timestamp;

emit SnowEarned(msg.sender, 1);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!