Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[H-05] `claimSnowman` uses dynamic `balanceOf()` for Merkle leaf — any balance change after tree generation breaks claims

webrainsec

Description

claimSnowman computes the Merkle leaf using the receiver's current Snow balance (i_snow.balanceOf(receiver)) rather than accepting the amount as a parameter. The Merkle tree is generated at a specific point in time with each user's balance at that moment. If a user's balance changes between tree generation and claiming (by buying more Snow, earning another token, or transferring), the recomputed leaf won't match and the Merkle proof fails.

Vulnerability Details

// src/SnowmanAirdrop.sol, lines 84-90

uint256 amount = i_snow.balanceOf(receiver); // @> reads CURRENT balance, not the value in the Merkle tree

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof(); // @> fails if balance changed since tree generation

}

The Merkle tree generation script (script/GenerateInput.s.sol) captures each user's Snow balance at deployment time and creates leaves as keccak256(abi.encode(address, balance)). The root is stored immutably in the contract. But claimSnowman reads the live balanceOf() rather than using the original amount.

Consider this scenario:

Tree generated with Alice having 1 Snow → leaf = keccak256(abi.encode(alice, 1))
Alice buys 2 more Snow → balance is now 3
Alice claims → leaf computed as keccak256(abi.encode(alice, 3))
Proof for (alice, 1) does not verify against leaf (alice, 3) → revert

The same happens if Alice transfers Snow to someone else, reducing her balance below the tree amount.

The getMessageHash function (line 112-122) has the same issue — it reads i_snow.balanceOf(receiver) to compute the signature digest, so the signature is also tied to the current balance rather than the Merkle-tree balance.

Risk

Likelihood:

Any Snow token transaction (earn, buy, transfer) between tree generation and claiming changes the balance. With earnSnow() and buySnow() being the primary user flows, balance changes are expected. The farming period lasts 12 weeks, making balance drift nearly certain.

Impact:

Legitimate airdrop recipients cannot claim their Snowman NFTs. Their Snow tokens are staked but the claim reverts. The only way to claim is to have the exact balance from tree generation time, which is extremely fragile and not communicated to users.

Proof of Concept

function testExploit_BalanceChangeBreakerClaim() public {

// Setup: claimer has 1 Snow, tree generated with (claimer, 1)

// Claimer buys 2 more Snow

vm.deal(address(claimer), 100 ether);

vm.prank(claimer);

snow.buySnow{value: 10 ether}(2); // balance is now 3

// Try to claim with Merkle proof for (claimer, 1)

bytes32 msgHash = airdrop.getMessageHash(claimer); // uses balanceOf = 3

(uint8 v, bytes32 r, bytes32 s) = vm.sign(claimerPrivateKey, msgHash);

// Merkle leaf is keccak256(abi.encode(claimer, 3)) but tree has (claimer, 1)

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);

airdrop.claimSnowman(claimer, proof, v, r, s);

// Claim fails — user's Snow is not burned, no NFT received

}

Output:

Claimer balance at tree generation: 1

Claimer balance at claim time: 3

Merkle proof: INVALID (leaf mismatch)

Claim: REVERTED

Recommendations

Accept amount as a function parameter and verify the user holds at least that amount:

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external nonReentrant

{

if (receiver == address(0)) { revert SA__ZeroAddress(); }

- if (i_snow.balanceOf(receiver) == 0) { revert SA__ZeroAmount(); }

+ if (amount == 0) { revert SA__ZeroAmount(); }

+ if (i_snow.balanceOf(receiver) < amount) { revert SA__InsufficientBalance(); }

- uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

// ... rest unchanged

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!