Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Snow.sol — Global s_earnTimer Shared Between buySnow and earnSnow Allows Permanent DoS of Free Earn Function

bamgboseoluwole83

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

### Description

The `s_earnTimer` state variable enforces a one-week cooldown for the `earnSnow` function. However, this variable is incorrectly reset by both the `earnSnow` and `buySnow` function execution flows.

Because the tracking state variable is global rather than user-specific, a malicious actor can call `buySnow` with a minimal amount once per week. This continuously resets the shared timer state, permanently blocking all other honest users from invoking `earnSnow`. The attacker only incurs the minimal cost of the smallest possible `buySnow` transaction fee to sustain this Denial of Service (DoS) indefinitely.

### Risk

High. The free token-earning mechanism is permanently disabled for every protocol participant. The `earnSnow` function becomes entirely unusable across the application lifecycle. This breaks the protocol's accessibility promise and forces all users into paid minting mechanics.

### Likelihood

High. Executing the attack requires zero specialized conditions or high financial overhead. The attacker can maintain the protocol-wide lockout indefinitely using cheap automated scripts.

### Proof of Concept

Add the following target test to your Foundry environment to validate the global state lockout:

```solidity

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import "forge-std/Test.sol";

import "../src/Snow.sol";

contract SnowGriefingTest is Test {

Snow public snow;

address public alice = address(0x1);

address public bob = address(0x2);

uint256 public fee = 0.01 ether;

function setUp() public {

// Initialize contracts here

}

function test_EarnTimerGrief() public {

// 1. Alice earns successfully initially

vm.prank(alice);

snow.earnSnow();

assertEq(snow.balanceOf(alice), 1);

// 2. Bob buys Snow, inadvertently resetting the global shared timer state

vm.warp(100);

vm.prank(bob);

snow.buySnow{value: fee * 1}(1);

// 3. Alice tries to earn again during a normal period but is blocked

vm.warp(200);

vm.prank(alice);

vm.expectRevert();

snow.earnSnow();

// 4. Bob repeats the process weekly, DoSing the contract permanently

vm.warp(604901);

vm.prank(bob);

snow.buySnow{value: fee * 1}(1);

vm.warp(605001);

vm.prank(alice);

vm.expectRevert();

snow.earnSnow();

}

```

Run the validation using:

```bash

forge test --match-test test_EarnTimerGrief -vvv

```

### Tools Used

Manual Review, Foundry, CodeHawks IDE.

### Recommended Mitigation

Replace the single global `s_earnTimer` variable with an address-indexed mapping. Each individual user's earn cooldown should track independently from buying activity.

Update `Snow.sol` with the following architectural change:

```solidity

// 1. Replace the global variable declaration

mapping(address => uint256) public s_earnTimer;

// 2. Enforce independent mapping boundaries inside earnSnow

function earnSnow() external {

if (block.timestamp < s_earnTimer[msg.sender]) revert S__TimerActive();

s_earnTimer[msg.sender] = block.timestamp + 1 weeks;

_mint(msg.sender, 1);

}

// 3. Remove any timer modification logic from the buySnow routine entirely.

```

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

Recommended Mitigation

- remove this code

+ add this code

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!