Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

EIP-712 Typehash Contains Typo Causing Signature Incompatibility

odinshell

Description

The SnowmanAirdrop contract implements EIP-712 typed structured data signing to allow users to authorize claims via off-chain signatures. The signature verification should allow gas-less claims where a third party can submit the claim transaction on behalf of the user.

The MESSAGE_TYPEHASH constant contains a typo - "addres" instead of "address" - which causes the contract's type hash to differ from what standard EIP-712 signing tools would generate. This makes signatures generated by compliant wallets (MetaMask, ethers.js, etc.) incompatible with the contract's verification.

// src/SnowmanAirdrop.sol:49

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

// ^^^^^^^ @> TYPO: "addres" should be "address"

The typehash is used in getMessageHash() to construct the EIP-712 digest:

// src/SnowmanAirdrop.sol:112-122

function getMessageHash(address receiver) public view returns (bytes32) {

// ...

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) // @> Uses wrong typehash

);

}

Risk

Likelihood: Medium

Any user attempting to sign with standard EIP-712 compliant tools will generate incompatible signatures
The typo is subtle and easy to miss during development and testing
Tests pass because they sign the digest returned by getMessageHash() which already includes the typo

Impact: High

Users cannot claim airdrops using standard wallet signing flows
Integration with front-end applications using ethers.js or web3.js will fail
MetaMask and other wallets will produce signatures the contract rejects
The airdrop claim functionality is effectively broken for production use

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

contract TypehashTest is Test {

function testTypehashMismatch() public pure {

// What the contract uses (WRONG - typo)

bytes32 wrongHash = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

// What EIP-712 compliant signers would use (CORRECT)

bytes32 correctHash = keccak256("SnowmanClaim(address receiver, uint256 amount)");

console2.log("Contract typehash: ", vm.toString(wrongHash));

console2.log("Correct typehash: ", vm.toString(correctHash));

// These produce different hashes - signatures will be incompatible

assert(wrongHash != correctHash);

}

Why Tests Pass Despite This Bug:

The test file uses Foundry's vm.sign() which signs whatever digest is returned by getMessageHash():

// test/TestSnowmanAirdrop.t.sol:82-85

bytes32 alDigest = airdrop.getMessageHash(alice); // Returns digest with WRONG typehash

(uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); // Signs the wrong digest

// Verification passes because both use the same wrong typehash

In production, external signing tools would compute:

keccak256("SnowmanClaim(address receiver, uint256 amount)") // Correct

But the contract expects:

keccak256("SnowmanClaim(addres receiver, uint256 amount)") // Typo

Recommended Mitigation

Fix the typo in the typehash constant:

// src/SnowmanAirdrop.sol:49

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 9 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!