Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Submission Details

Severity: high

Valid

EIP-712 `MESSAGE_TYPEHASH` typo (`addres`) makes standard signatures invalid → `claimSnowman()` DoS

danielowenderefaka

Root + Impact

Description

**Normal behavior:** `SnowmanAirdrop.claimSnowman()` should accept a recipient’s EIP-712 signature authorizing the claim, verify the Merkle proof, transfer the recipient’s `Snow` tokens into the airdrop contract, and mint the corresponding number of `Snowman` NFTs.

**Issue:** `SnowmanAirdrop` hardcodes a misspelled EIP-712 type string (`addres receiver`), so the on-chain digest differs from the standard EIP-712 digest for `SnowmanClaim(address receiver,uint256 amount)`. As a result, signatures produced by standard EIP-712 typed-data encoders are rejected and `claimSnowman()` reverts with `SA__InvalidSignature`.

// src/SnowmanAirdrop.sol

bytes32 private constant MESSAGE_TYPEHASH =

keccak256("SnowmanClaim(addres receiver, uint256 amount)");

// @> "addres" typo changes the typehash, breaking standard EIP-712 signing

// (src/SnowmanAirdrop.sol:49)

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external {

// (src/SnowmanAirdrop.sol:69-83)

...

if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {

// @> standard EIP-712 signatures do not match getMessageHash(receiver)

revert SA__InvalidSignature();

}

...

}

Risk

Likelihood:

- Any claimant / relayer producing signatures via standard EIP-712 typed-data encoding for `SnowmanClaim(address receiver,uint256 amount)` will have the signature rejected (demonstrated in the PoC).

- The typehash is hardcoded and used for every claim.

Impact:

Claim availability failure for signatures produced by standard EIP-712 tooling; eligible users may be unable to claim without custom signing logic that mirrors the on-chain (typoed) typehash.

Proof of Concept

Deterministic local test shows the standard EIP-712 digest signature fails

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test} from "forge-std/Test.sol";

import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";

import {Snow} from "../../src/Snow.sol";

import {Snowman} from "../../src/Snowman.sol";

import {SnowmanAirdrop} from "../../src/SnowmanAirdrop.sol";

import {MockWETH} from "../../src/mock/MockWETH.sol";

contract F004_EIP712TypehashTypoSignatureDoS is Test {

bytes32 internal constant ROOT = 0xc0b6787abae0a5066bc2d09eaec944c58119dc18be796e93de5b2bf9f80ea79a;

bytes32 internal constant AL_PROOF_A =

0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52;

bytes32 internal constant AL_PROOF_B =

0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;

bytes32 internal constant AL_PROOF_C =

0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;

function _buySnowWithWeth(MockWETH weth, Snow snow, address buyer, uint256 amount) internal {

uint256 fee = snow.s_buyFee();

uint256 totalFee = fee * amount;

weth.mint(buyer, totalFee);

vm.startPrank(buyer);

weth.approve(address(snow), totalFee);

snow.buySnow(amount);

vm.stopPrank();

}

function _domainSeparator(address verifyingContract) internal view returns (bytes32) {

return keccak256(

abi.encode(

keccak256(

"EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"

keccak256(bytes("Snowman Airdrop")),

keccak256(bytes("1")),

block.chainid,

verifyingContract

)

);

}

function _standardDigest(address verifyingContract, address receiver, uint256 amount)

internal

view

returns (bytes32)

{

bytes32 typeHash = keccak256("SnowmanClaim(address receiver,uint256 amount)");

bytes32 structHash = keccak256(abi.encode(typeHash, receiver, amount));

return keccak256(abi.encodePacked("\x19\x01", _domainSeparator(verifyingContract), structHash));

}

function testF004_standardEIP712SignatureFails_dueToTypehashTypo() public {

MockWETH weth = new MockWETH();

Snow snow = new Snow(address(weth), 1, makeAddr("collector"));

Snowman nft = new Snowman("data:image/svg+xml;base64,");

SnowmanAirdrop airdrop = new SnowmanAirdrop(ROOT, address(snow), address(nft));

(address alice, uint256 aliceKey) = makeAddrAndKey("alice");

bytes32[] memory proof = new bytes32[](3);

proof[0] = AL_PROOF_A;

proof[1] = AL_PROOF_B;

proof[2] = AL_PROOF_C;

_buySnowWithWeth(weth, snow, alice, 1);

vm.prank(alice);

snow.approve(address(airdrop), 1);

// Sign the EIP-712 digest derived from the intended (standard) type string.

// This signature will fail verification because the on-chain MESSAGE_TYPEHASH uses a typo ("addres").

bytes32 standardDigest = _standardDigest(address(airdrop), alice, 1);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, standardDigest);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, proof, v, r, s);

}

function testF004_fuzz_standardDigestSignatureDoesNotValidateAgainstContractDigest(uint8 rawAmount) public {

uint256 amount = uint256(bound(rawAmount, 1, 20));

MockWETH weth = new MockWETH();

Snow snow = new Snow(address(weth), 1, makeAddr("collector"));

Snowman nft = new Snowman("data:image/svg+xml;base64,");

SnowmanAirdrop airdrop = new SnowmanAirdrop(ROOT, address(snow), address(nft));

(address alice, uint256 aliceKey) = makeAddrAndKey("alice");

_buySnowWithWeth(weth, snow, alice, amount);

bytes32 standardDigest = _standardDigest(address(airdrop), alice, amount);

bytes32 contractDigest = airdrop.getMessageHash(alice);

assertTrue(contractDigest != standardDigest);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, standardDigest);

(address recovered,,) = ECDSA.tryRecover(contractDigest, v, r, s);

assertTrue(recovered != alice);

}

Recommended Mitigation

Fix the typehash string to match the intended struct definition and canonical EIP-712 encoding

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!