Merkle leaf computed from live balanceOf instead of fixed amount — claims fail when balance changes after snapshot
Root + Impact
Description
The
claimSnowmanfunction computes the Merkle leaf using the receiver's current Snow token balance at claim time viai_snow.balanceOf(receiver). However, the Merkle tree was generated from a snapshot of balances (via theGenerateInputscript). If the user's balance changes between snapshot and claim time, the computed leaf will differ from the one in the tree, causing proof verification to fail.
Risk
Likelihood:
Users who earn more Snow tokens (via weekly
earnSnow()) or buy tokens (viabuySnow()) between the Merkle tree generation and their claim will have a different balance than the snapshot.Users who transfer any amount of Snow tokens to another address will also have a mismatched balance.
Impact:
Legitimate airdrop recipients are permanently locked out of claiming their NFTs if their Snow balance changes by even 1 token.
The only way to claim is to ensure your balance is exactly what it was when the Merkle tree was generated, which is fragile and unreliable.
Proof of Concept
This test demonstrates that Alice is eligible for the airdrop with a balance of 1 (matching the Merkle tree snapshot), but after earning a second Snow token her balance becomes 2. When she attempts to claim, the Merkle leaf is computed as keccak256(alice, 2) instead of keccak256(alice, 1), which does not match the tree, and the proof verification reverts with SA__InvalidProof.
Recommended Mitigation
Pass amount as a function parameter instead of reading from live balanceOf. The Merkle proof already cryptographically verifies that the (receiver, amount) pair is in the tree, so the on-chain balance check is redundant for verification purposes. An additional require ensures the receiver has enough balance to transfer.
Lead Judging Commences
[M-01] DoS to a user trying to claim a Snowman
# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.