Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

### [M-2] `Snow::buySnow` uses strict ETH equality, causing ETH to be lost to the collector when wrong amount is sent

symmate

Description: The payment check in buySnow uses == for msg.value. If a user sends any ETH that does not exactly match s_buyFee * amount, the function falls through to the else branch, pulls WETH from the user, and the sent ETH remains in the contract (collectible only by the collector).

function buySnow(uint256 amount) external payable canFarmSnow {
@> if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
@> i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
}

Impact: A user who sends a slightly incorrect ETH amount (e.g. off by 1 wei) loses their ETH to the collector AND also has WETH deducted — effectively double-paying.

Recommended Mitigation: Check whether any ETH was sent first, then enforce the exact amount.

function buySnow(uint256 amount) external payable canFarmSnow {
- if (msg.value == (s_buyFee * amount)) {
+ if (msg.value > 0) {
+ if (msg.value != s_buyFee * amount) revert S__WrongETHAmount();
_mint(msg.sender, amount);
} else {
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!