Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Title: Missing return value check in _isValidSignature allows unauthorized NFT claims.

nezar_alhammadi

Root + Impact

Description

Normal Behavior: The function _isValidSignature should recover the signer's address from the signature and verify it matches the receiver address to prevent unauthorized claims.

  • Specific Issue: The contract calls ECDSA.tryRecover but ignores its return value. It does not compare the recovered address with the intended receiver, effectively allowing any signature (or even an invalid one) to pass if the function logic doesn't explicitly return false.

Root Cause

(address actualSigner, , ) = ECDSA.tryRecover(digest, v, r, s);
// Missing: return actualSigner == receiver;

Risk

Likelihood: High. Any user can provide a random signature and potentially bypass the security check.

Impact: High. Attackers can claim Snowman NFTs belonging to other users or mint NFTs without valid authorization.


Proof of Concept

An attacker calls claimSnowman for a legitimate receiver address.

  • The attacker provides dummy values for v, r, s.

  • Because _isValidSignature does not validate the actualSigner against the receiver, the check succeeds.

  • The attacker successfully steals the airdrop.

Recommended Mitigation

- (address actualSigner, , ) = ECDSA.tryRecover(digest, v, r, s);
+ (address actualSigner, , ) = ECDSA.tryRecover(digest, v, r, s);
+ return actualSigner == receiver;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!