Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Missing Claim Deduplication Enables Multiple Airdrop Claims Per Eligible Address

comfortnurse021

The `SnowmanAirdrop` contract lacks a validation check to ensure that an eligible address can only claim the Snowman NFT once. Although the contract tracks claim status via `s_hasClaimedSnowman[receiver] = true` after processing a claim, it never checks this flag before executing the claim logic. This omission allows any eligible user to submit multiple valid claims using the same Merkle proof and signature, resulting in repeated transfers of SNOW tokens and repeated minting of Snowman NFTs.

In a standard Merkle-based airdrop, each eligible address should be able to claim exactly once, enforced by checking a claimed status before processing.

However, the current implementation of claimSnowman performs all validations (signature, Merkle proof, balance) and executes transfers/mints before ever checking whether the user has already claimed. Since the claim status is only set at the end, a malicious actor can replay the same valid claim transaction multiple times to drain the system of NFTs and collect excess SNOW tokens.

root cause,-

https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L69-83

Proof of Concept

Proof of Concept (PoC)

Assume:

User 0xAlice is eligible for 100 SNOW → 100 Snowman NFTs.

Merkle proof and EIP-712 signature are valid for (0xAlice, 100).

Attack Steps:

Call claimSnowman(0xAlice, proof, v, r, s) → succeeds:

Transfers 100 SNOW to contract

Mints 100 Snowman NFTs to 0xAlice

Sets s_hasClaimedSnowman[0xAlice] = true

Immediately resubmit the exact same transaction.

The function does not check s_hasClaimedSnowman[0xAlice] at the start.

All validations (signature, Merkle, balance) still pass (assuming balance ≥100).

Result: Another 100 SNOW transferred, another 100 NFTs minted.

Note: Even if the user’s balance drops below 100 after the first claim, they could top up before the second claim to make balanceOf ≥ amount, enabling repeated abuse.

After initial claim

airdrop.claimSnowman(alice, proof, v, r, s);

Check state

assertEq(snowman.balanceOf(alice), 100);

assertEq(snow.balanceOf(address(airdrop)), 100);

assertTrue(airdrop.getClaimStatus(alice));

Re-submit same transaction → should revert, but doesn't!

airdrop.claimSnowman(alice, proof, v, r, s);

assertEq(snowman.balanceOf(alice), 200);

Recommended Mitigation

+ function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external

nonReentrant

{

if (receiver == address(0)) {

revert SA__ZeroAddress();

}

ROOT CAUSE: THIS CHECK IS MISSING

if (s_hasClaimedSnowman[receiver]) {

revert SA__AlreadyClaimed();

}

// ...

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!