Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: low
Valid

[H-04] `s_earnTimer` is global — one user's action blocks all others from earning, and `buySnow(0)` griefs for free

Description

s_earnTimer is a single uint256 storage variable shared by all users. When any user calls earnSnow() or buySnow(), the timer resets for everyone. Only one user globally can earn a free Snow token per week. Worse, buySnow(0) costs nothing (0 * fee = 0 ETH, mints 0 tokens) but still resets the global timer, providing a free griefing vector that permanently blocks all users from earning.

Vulnerability Details

// src/Snow.sol, line 30
uint256 private s_earnTimer; // @> GLOBAL — not a mapping
// src/Snow.sol, lines 92-99
function earnSnow() external canFarmSnow {
if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
revert S__Timer(); // @> ALL users blocked if ANY user earned/bought recently
}
_mint(msg.sender, 1);
s_earnTimer = block.timestamp; // @> resets timer for EVERYONE
}
// src/Snow.sol, lines 79-89
function buySnow(uint256 amount) external payable canFarmSnow {
if (msg.value == (s_buyFee * amount)) { // 0 == 0 when amount=0
_mint(msg.sender, amount); // mints 0 tokens
} else {
i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
s_earnTimer = block.timestamp; // @> resets timer even for amount=0!
}

Two separate issues compound here:

  1. Global timer: s_earnTimer should be mapping(address => uint256) so each user has their own weekly cooldown. Instead, the first user to earn each week locks out everyone else.

  2. buySnow(0) griefing: Calling buySnow(0) with msg.value = 0: the condition 0 == s_buyFee * 0 evaluates to true, _mint(msg.sender, 0) is a no-op, and s_earnTimer = block.timestamp resets the global timer. Zero cost, zero tokens, but the timer resets.

Risk

Likelihood:

  • The global timer triggers on every normal earnSnow() call. The griefing attack via buySnow(0) costs only gas (no ETH, no WETH, no tokens). A bot calling buySnow(0) every 6 days permanently blocks all free earning.

Impact:

  • The "earn Snow for free once a week" feature is non-functional for all but the first user each week. With active griefing, zero users can ever earn for free. Users are forced to buy Snow with ETH/WETH, eliminating the free-earn value proposition.

Proof of Concept

function testExploit_GlobalTimerBlocksAllUsers() public {
Snow snow = new Snow(address(weth), 5, collector);
// Alice earns first — succeeds (timer is 0)
vm.prank(alice);
snow.earnSnow();
assertEq(snow.balanceOf(alice), 1);
// Bob tries immediately — BLOCKED by Alice's earn
vm.prank(bob);
vm.expectRevert(Snow.S__Timer.selector);
snow.earnSnow();
// Wait 6 days, griefer calls buySnow(0) to reset timer for free
vm.warp(block.timestamp + 6 days);
vm.prank(griefer);
snow.buySnow(0); // costs nothing, mints nothing, resets s_earnTimer
// Bob tries after griefer — STILL BLOCKED
vm.prank(bob);
vm.expectRevert(Snow.S__Timer.selector);
snow.earnSnow();
}

Output:

Alice earned: 1 Snow
Bob attempt 1: REVERTED (S__Timer)
Griefer buySnow(0): succeeded (0 ETH, 0 tokens, timer reset)
Bob attempt 2: REVERTED (S__Timer)

Recommendations

  1. Make the timer per-user:

- uint256 private s_earnTimer;
+ mapping(address => uint256) private s_earnTimer;
function earnSnow() external canFarmSnow {
- if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {
+ if (s_earnTimer[msg.sender] != 0 && block.timestamp < (s_earnTimer[msg.sender] + 1 weeks)) {
revert S__Timer();
}
_mint(msg.sender, 1);
- s_earnTimer = block.timestamp;
+ s_earnTimer[msg.sender] = block.timestamp;
}
  1. Remove the timer reset from buySnow() and add require(amount > 0):

function buySnow(uint256 amount) external payable canFarmSnow {
+ if (amount == 0) revert S__ZeroValue();
// ... existing logic ...
- s_earnTimer = block.timestamp;
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!