Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

`Snow::s_earnTimer` is a single global variable instead of a per-user mapping allowing only one user to earn free Snow per week

ny2

Root + Impact

Description

The earnSnow function is intended to let each eligible user claim one free Snow token once every week as an alternative to purchasing with ETH or WETH.

s_earnTimer is a single uint256 contract-level variable — not a per-user mapping — meaning the one-week cooldown is shared globally. Only one user in the entire protocol can call earnSnow per week. Every subsequent caller is blocked until the week expires. buySnow further compounds this by also resetting the same s_earnTimer, so any user's purchase immediately blocks the free-earn path for all other users for another full week.

// Snow.sol

@> uint256 private s_earnTimer; // Single shared variable — NOT per-user

function earnSnow() external canFarmSnow {

@> if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

revert S__Timer(); // Blocks ALL users after ANY single user earns

}

_mint(msg.sender, 1);

s_earnTimer = block.timestamp;

}

function buySnow(uint256 amount) external payable canFarmSnow {

...

@> s_earnTimer = block.timestamp; // Purchase also resets the global earn cooldown

}

Risk

Likelihood:

The moment any user calls earnSnow, all remaining eligible users are blocked from earning for the next seven days regardless of their own history.
Any user calling buySnow resets the same timer — a single weekly purchase (even buySnow(1)) by any user or attacker blocks the free-earn path for every other user for the entire 12-week farming duration

Impact:

Users who depend on earnSnow as their only path to Snow tokens (without ETH or WETH) are permanently denied the tokens they need to claim their airdrop NFTs
A griefing attacker spends minimal cost — one buySnow(1) call per week — to permanently disable the free earning mechanism for all five whitelisted participants

Proof of Concept

The test demonstrates that s_earnTimer is shared globally across all users. First, Alice earns Snow, causing Bob's immediate earnSnow call to revert due to the global cooldown. After the cooldown expires, Charlie calls buySnow, which resets the same timer and prevents Bob from earning again. Finally, an attacker repeatedly calls buySnow(1) every six days throughout the 12-week farming period, continuously resetting the timer and causing Bob's earnSnow attempts to revert each time. This proves that a single user can indefinitely prevent all other users from earning free Snow with minimal cost.

To run: forge test --match-test test_GlobalTimerBlocksAllOtherUsers -vvvv

function test_GlobalTimerBlocksAllOtherUsers() public {

// Alice earns — this sets the global s_earnTimer

vm.prank(alice);

snow.earnSnow();

assertEq(snow.balanceOf(alice), 1);

// Bob tries immediately after — blocked by the global timer Alice set

vm.expectRevert(Snow.S__Timer.selector);

vm.prank(bob);

snow.earnSnow();

// One week passes — but Charlie buys Snow, resetting the global timer again

vm.warp(block.timestamp + 1 weeks + 1);

vm.deal(charlie, 100 ether);

vm.prank(charlie);

snow.buySnow{value: snow.s_buyFee()}(1); // buySnow resets s_earnTimer!

// Bob is still blocked — charlie's purchase just reset the clock

vm.expectRevert(Snow.S__Timer.selector);

vm.prank(bob);

snow.earnSnow();

// Attacker can repeat this every week for all 12 weeks — near-zero cost DoS

for (uint256 week = 1; week <= 12; week++) {

vm.warp(block.timestamp + 1 weeks + 1);

vm.prank(charlie);

snow.buySnow{value: snow.s_buyFee()}(1);

vm.expectRevert(Snow.S__Timer.selector);

vm.prank(bob);

snow.earnSnow(); // Bob permanently locked out

}

Recommended Mitigation

Two independent changes are needed. First, convert s_earnTimer from a single uint256 into a mapping(address => uint256) so that each user's cooldown is tracked separately. This means Alice earning on Monday does not prevent Bob from earning on Tuesday — they each manage their own one-week window independently.

Second, remove the s_earnTimer = block.timestamp line from buySnow entirely. The earn timer and the buy mechanism are conceptually separate — purchasing Snow has no logical reason to reset the earning cooldown, and the current coupling is what enables the near-zero-cost griefing attack where any buyer blocks all earners for an additional week.

- uint256 private s_earnTimer;

+ mapping(address => uint256) private s_earnTimers;

function earnSnow() external canFarmSnow {

- if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

+ if (s_earnTimers[msg.sender] != 0 &&

+ block.timestamp < (s_earnTimers[msg.sender] + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

- s_earnTimer = block.timestamp;

+ s_earnTimers[msg.sender] = block.timestamp;

}

function buySnow(uint256 amount) external payable canFarmSnow {

if (msg.value == (s_buyFee * amount)) {

_mint(msg.sender, amount);

} else {

i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));

_mint(msg.sender, amount);

}

- s_earnTimer = block.timestamp;

emit SnowBought(msg.sender, amount);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!