Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

`SnowmanAirdrop::claimSnowman` computes Merkle leaf from live token balance instead of fixed allocation permanently locking users whose balance changed

ny2

Root + Impact

Description

The Merkle tree is built at deployment time from input.json with fixed allocations per address. At claim time the contract should verify a user's proof against that committed, fixed allocation.

However, claimSnowman computes the Merkle leaf using i_snow.balanceOf(receiver) at the moment of the call rather than using the allocation passed as part of the proof. Any user whose Snow balance has changed since Merkle tree generation by buying more tokens, earning a second time, or receiving tokens from another address produces a leaf that does not exist in the tree, causing a permanent SA__InvalidProof revert with no recovery path.

// SnowmanAirdrop.sol

@> uint256 amount = i_snow.balanceOf(receiver); // Live balance — changes after tree generation

@> bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

// Leaf computed from live balance. If balance != committed allocation, proof always fails.

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

@> revert SA__InvalidProof(); // Permanent revert — no recovery path for the user

}

Risk

Likelihood:

Users call buySnow() at any point before claiming, increasing their balance above the committed allocation in the tree
Users call earnSnow() a second time after the global timer permits, adding to their balance
Any third party transfers Snow tokens to a whitelisted address, invalidating that address's proof

Impact:

Legitimate whitelisted users are permanently locked out of their Snowman NFT airdrop with no on-chain recovery mechanism
The protocol's core delivery — getting NFTs to intended recipients — fails silently based purely on when users interact with their own token balance

Proof of Concept

The test shows that Alice becomes permanently unable to claim her Merkle airdrop after buying extra tokens, because claimSnowman uses her live balance (2 instead of the fixed allocation 1) to compute the Merkle leaf, causing the proof to fail against the immutable tree and permanently locking her out.

To run: forge test --match-test test_UserLockedOutAfterBuyingMoreSnow -vvvv

function test_UserLockedOutAfterBuyingMoreSnow() public {

// Alice has exactly 1 Snow — matching her Merkle tree allocation

assertEq(snow.balanceOf(alice), 1);

// Alice legitimately buys one more Snow token

vm.deal(alice, 100 ether);

vm.prank(alice);

snow.buySnow{value: snow.s_buyFee()}(1);

assertEq(snow.balanceOf(alice), 2); // Balance now 2, but tree committed to 1

// Alice approves and attempts to claim her airdrop

vm.prank(alice);

snow.approve(address(airdrop), type(uint256).max);

bytes32 digest = airdrop.getMessageHash(alice);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alicePrivKey, digest);

// Claim permanently fails — computed leaf uses amount=2, tree has leaf for amount=1

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);

vm.prank(alice);

airdrop.claimSnowman(alice, aliceProof, v, r, s);

// Alice can never claim — she cannot reduce her balance (no burn function)

// She cannot change her Merkle proof — the tree is immutable

}

Recommended Mitigation

Pass the allocation as an explicit uint256 allocation parameter to claimSnowman and use it everywhere the live balance was previously used:

+ error SA__InsufficientBalance();

function claimSnowman(

address receiver,

+ uint256 allocation,

bytes32[] calldata merkleProof,

uint8 v,

bytes32 r,

bytes32 s

) external nonReentrant {

if (receiver == address(0)) revert SA__ZeroAddress();

- if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();

+ if (allocation == 0) revert SA__ZeroAmount();

+ if (i_snow.balanceOf(receiver) < allocation) revert SA__InsufficientBalance();

if (!_isValidSignature(

receiver,

- getMessageHash(receiver),

+ getMessageHash(receiver, allocation),

v, r, s

)) revert SA__InvalidSignature();

- uint256 amount = i_snow.balanceOf(receiver);

- bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

+ bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, allocation))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

+ s_hasClaimedSnowman[receiver] = true;

- i_snow.safeTransferFrom(receiver, address(this), amount);

+ i_snow.safeTransferFrom(receiver, address(this), allocation);

- s_hasClaimedSnowman[receiver] = true;

- emit SnowmanClaimedSuccessfully(receiver, amount);

- i_snowman.mintSnowman(receiver, amount);

+ emit SnowmanClaimedSuccessfully(receiver, allocation);

+ i_snowman.mintSnowman(receiver, allocation);

}

- function getMessageHash(address receiver) public view returns (bytes32) {

+ function getMessageHash(address receiver, uint256 allocation) public view returns (bytes32) {

- if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();

- uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(

MESSAGE_TYPEHASH,

- SnowmanClaim({receiver: receiver, amount: amount})

+ SnowmanClaim({receiver: receiver, amount: allocation})

))

);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!