Missing Claim Check in claimSnowman() Function
Root + Impact
The claimSnowman function lacks a check to prevent multiple claims from the same address, allowing users to claim repeatedly as long as they can re‑acquire the required Snow tokens.
Description
-
Normal behavior: The contract intends to allow each eligible user to claim a Snowman NFT exactly once. A mapping
s_hasClaimedSnowmanis supposed to track whether an address has already claimed. -
problem: There is no
require(!s_hasClaimedSnowman[receiver])at the beginning of the function. The mapping is only set totrueat the very end, after all token transfers and minting. This means that if a user can obtain the same amount of Snow tokens again (for example, by buying them on the market), they can reuse the same Merkle proof and signature to claim another NFT.s
Risk
Likelihood:
-
A user who has claimed once can claim again whenever they manage to re‑acquire the same amount of Snow tokens (e.g., by purchasing them from a decentralized exchange or receiving them from another address).
-
The signature and Merkle proof remain valid forever because the signed message does not include a nonce or expiration, and the Merkle leaf is recomputed from the current balance (which can become the original amount again).
Impact:
-
An attacker can mint an unlimited number of Snowman NFTs without any additional eligibility, draining the NFT supply.
-
Each claim transfers the user’s Snow tokens to the contract (effectively burning them), so the contract accumulates an arbitrary amount of Snow tokens, potentially exceeding what was intended to be burned.
-
Legitimate users may be unable to claim if the NFT supply is exhausted by repeated claims from the same address.
Proof of Concept
The following Foundry test demonstrates the vulnerability. It shows a user claiming twice after replenishing their Snow balance::
Output:
Recommended Mitigation
Add a check at the beginning of claimSnowman to ensure the receiver has not already claimed, and consider moving the state update earlier (though the check alone is sufficient with nonReentrant)
Lead Judging Commences
[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman
# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.