Claims Can Become Unusable Because Merkle Amount Is Derived From Mutable Token Balance
Root + Impact
Description
-
The intended behavior is that the Merkle tree defines each eligible receiver and the amount of Snow they can redeem for Snowman NFTs. A user with a valid proof should be able to claim the allocation assigned to them in the tree.
-
The issue is that claimSnowman does not accept the Merkle allocation amount as an input. Instead, it reads the receiver’s current Snow balance and uses that live balance to build the Merkle leaf. This means the proof only works while the receiver’s current token balance exactly matches the amount encoded in the Merkle tree.
Risk
Likelihood: High
Snow is a transferable ERC20, so balances naturally change through transfers.
Users can continue earning or buying Snow after the Merkle root is generated.
A valid claimant’s proof stops matching once their current balance differs from their snapshotted allocation.
Impact: Medium
Eligible users can be unable to claim their NFTs despite being included in the Merkle tree.
The airdrop becomes dependent on users preserving an exact balance until claim time.
Off-chain Merkle data no longer represents a stable allocation; it represents a fragile balance snapshot.
Proof of Concept
The following PoC shows a valid claimant becoming unable to claim after their balance changes. Alice is included in the Merkle tree with an allocation of 1. Before claiming, she earns or receives one additional Snow token. The contract then builds the leaf with amount 2, but the Merkle proof was generated for amount 1, so the claim reverts.
This happens because the contract treats the current ERC20 balance as the allocation amount instead of using the amount committed in the Merkle tree.
Recommended Mitigation
Pass the claim amount into claimSnowman, include that same amount in the signed EIP-712 digest, and verify the Merkle proof against that explicit amount. This makes the claim amount stable and independent from unrelated balance changes.
Lead Judging Commences
[M-01] DoS to a user trying to claim a Snowman
# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.