Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[H-04] `s_earnTimer` is global — one user's action blocks all others from earning, and `buySnow(0)` griefs for free

webrainsec

Description

s_earnTimer is a single uint256 storage variable shared by all users. When any user calls earnSnow() or buySnow(), the timer resets for everyone. Only one user globally can earn a free Snow token per week. Worse, buySnow(0) costs nothing (0 * fee = 0 ETH, mints 0 tokens) but still resets the global timer, providing a free griefing vector that permanently blocks all users from earning.

Vulnerability Details

// src/Snow.sol, line 30

uint256 private s_earnTimer; // @> GLOBAL — not a mapping

// src/Snow.sol, lines 92-99

function earnSnow() external canFarmSnow {

if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

revert S__Timer(); // @> ALL users blocked if ANY user earned/bought recently

}

_mint(msg.sender, 1);

s_earnTimer = block.timestamp; // @> resets timer for EVERYONE

}

// src/Snow.sol, lines 79-89

function buySnow(uint256 amount) external payable canFarmSnow {

if (msg.value == (s_buyFee * amount)) { // 0 == 0 when amount=0

_mint(msg.sender, amount); // mints 0 tokens

} else {

i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));

_mint(msg.sender, amount);

}

s_earnTimer = block.timestamp; // @> resets timer even for amount=0!

}

Two separate issues compound here:

Global timer: s_earnTimer should be mapping(address => uint256) so each user has their own weekly cooldown. Instead, the first user to earn each week locks out everyone else.
buySnow(0) griefing: Calling buySnow(0) with msg.value = 0: the condition 0 == s_buyFee * 0 evaluates to true, _mint(msg.sender, 0) is a no-op, and s_earnTimer = block.timestamp resets the global timer. Zero cost, zero tokens, but the timer resets.

Risk

Likelihood:

The global timer triggers on every normal earnSnow() call. The griefing attack via buySnow(0) costs only gas (no ETH, no WETH, no tokens). A bot calling buySnow(0) every 6 days permanently blocks all free earning.

Impact:

The "earn Snow for free once a week" feature is non-functional for all but the first user each week. With active griefing, zero users can ever earn for free. Users are forced to buy Snow with ETH/WETH, eliminating the free-earn value proposition.

Proof of Concept

function testExploit_GlobalTimerBlocksAllUsers() public {

Snow snow = new Snow(address(weth), 5, collector);

// Alice earns first — succeeds (timer is 0)

vm.prank(alice);

snow.earnSnow();

assertEq(snow.balanceOf(alice), 1);

// Bob tries immediately — BLOCKED by Alice's earn

vm.prank(bob);

vm.expectRevert(Snow.S__Timer.selector);

snow.earnSnow();

// Wait 6 days, griefer calls buySnow(0) to reset timer for free

vm.warp(block.timestamp + 6 days);

vm.prank(griefer);

snow.buySnow(0); // costs nothing, mints nothing, resets s_earnTimer

// Bob tries after griefer — STILL BLOCKED

vm.prank(bob);

vm.expectRevert(Snow.S__Timer.selector);

snow.earnSnow();

}

Output:

Alice earned: 1 Snow

Bob attempt 1: REVERTED (S__Timer)

Griefer buySnow(0): succeeded (0 ETH, 0 tokens, timer reset)

Bob attempt 2: REVERTED (S__Timer)

Recommendations

Make the timer per-user:

- uint256 private s_earnTimer;

+ mapping(address => uint256) private s_earnTimer;

function earnSnow() external canFarmSnow {

- if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

+ if (s_earnTimer[msg.sender] != 0 && block.timestamp < (s_earnTimer[msg.sender] + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

- s_earnTimer = block.timestamp;

+ s_earnTimer[msg.sender] = block.timestamp;

}

Remove the timer reset from buySnow() and add require(amount > 0):

function buySnow(uint256 amount) external payable canFarmSnow {

+ if (amount == 0) revert S__ZeroValue();

// ... existing logic ...

- s_earnTimer = block.timestamp;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!