Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Typo in EIP-712 `MESSAGE_TYPEHASH` permanently breaks airdrop claims

Typo in EIP-712 MESSAGE_TYPEHASH permanently breaks airdrop claims

Description

  • in the SnowmanAirdrop contract, SnowmanAirdrop::MESSAGE_TYPEHASH is defined as keccak256("SnowmanClaim(addres receiver, uint256 amount)") notice the typo addres should have been address. According to EIP-712, the type string should always match the struct definition

// Root cause in the codebase with @> marks to highlight the relevant section
@> bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Risk

Likelihood:

  • This vulnerability is triggered every time a user or relayer attempts to execute the claimSnowman function to claim their airdrop.

  • The occurrence is absolute and deterministic because the EIP-712 standard requires an exact string match for the typehash, ensuring that all off-chain signatures generated by the backend will perpetually fail the on-chain verification.

Impact:

  • No user will ever be able to claim their airdrop, the contract will always revert SA__InvalidSignature because the onchain digest will never match the off chain signed digest

Proof of Concept

Generate a hash that the contract creates and a hash that an off-chain backend should create, and assert that they are completely different.

function test_EIP712TypoCausesSignatureMismatch() public view{
// 1. Use alice instead of a new user, because getMessageHash reverts
// if the user has a 0 Snow balance (SA__ZeroAmount).
address user = alice;
// Get her actual balance to use in our manual hash calculation
uint256 amount = snow.balanceOf(user);
// 2. Get the hash generated by the contract (which has the typo)
bytes32 contractHash = airdrop.getMessageHash(user);
// 3. Calculate what the hash SHOULD be (the correct EIP-712 standard)
// Notice "address" is spelled correctly here, just like the off-chain backend will do.
bytes32 correctTypeHash = keccak256("SnowmanClaim(address receiver,uint256 amount)");
bytes32 correctStructHash = keccak256(abi.encode(correctTypeHash, user, amount));
// 4. Prove they don't match!
// The contractHash includes the domain separator, but because the structHash
// is fundamentally different due to the typo, the final hashes will never match.
assert(contractHash != correctStructHash);
}

This test demonstrates the mathematical reality of the EIP-712 standard. The test retrieves the digest generated by the smart contract (which contains the typo) and manually calculates the digest using the correct spelling, exactly as an off-chain backend or wallet would. Because the keccak256 hash function is highly sensitive to even a single character change, the two resulting type hashes are completely different. This proves that any valid ECDSA signature created off-chain using the correct spelling will mathematically fail the on-chain _isValidSignature check, permanently locking users out of the airdrop.

Recommended Mitigation

Just fix the spelling of the contract

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

This simple fix aligns the on-chain type string with the actual struct definition and the standard EIP-712 format. By correcting the spelling to address, the keccak256 hash of the type string will now perfectly match the hash generated by off-chain signing tools. This allows the final EIP-712 digests to match, enabling the ECDSA.tryRecover function to successfully verify the user's signature and process the airdrop claims as intended.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!