Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

SnowmanAirdrop uses live balanceOf() for Merkle leaf computation, causing claim failure when Snow balance changes after tree generation

ccccboldt

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

The Merkle tree is built at a specific point in time with a committed `(receiver, amount)` pair per user. However, `claimSnowman()` computes the Merkle leaf using `i_snow.balanceOf(receiver)` **at claim

time** — not the amount originally committed in the tree. If the receiver's Snow balance changes between tree generation and claim execution, the computed leaf will not match any leaf in the tree and the

claim will permanently revert.

```solidity

function claimSnowman(...) external nonReentrant {

// @> amount read live — not from a committed value

uint256 amount = i_snow.balanceOf(receiver);

// @> Leaf computed with live balance, not the Merkle-committed amount

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof(); // @> Reverts if balance changed since tree build

}

```

The same issue exists in `getMessageHash()`, which also calls `i_snow.balanceOf(receiver)` live — meaning the signed digest becomes invalid if balance changes between signing and claiming.

### Risk

**Likelihood:**

- A user who receives additional Snow tokens after the Merkle tree is built but before claiming will be permanently locked out

- A user who transfers any Snow away before claiming also cannot claim

- Front-running: an attacker can send 1 wei of Snow to a victim's address to inflate their balance, invalidating their Merkle proof

**Impact:**

- Legitimate airdrop recipients are permanently unable to claim their Snowman NFTs

- No recovery path exists — the Merkle root is immutable and the contract has no admin override

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

```solidity

function test_poc_LiveBalanceLockout() public {

// Alice is in Merkle tree with amount = 1 (earned in setUp)

assertEq(snow.balanceOf(alice), 1);

// Someone sends Alice 1 more Snow (e.g. attacker or accidental transfer)

vm.warp(block.timestamp + 1 weeks);

address sender = makeAddr("sender");

vm.prank(sender);

snow.earnSnow();

vm.prank(sender);

snow.transfer(alice, 1);

// Alice now has 2 Snow, but Merkle tree has leaf(alice, 1)

assertEq(snow.balanceOf(alice), 2);

// Claim fails — live balance (2) != committed amount (1)

vm.prank(alice);

snow.approve(address(airdrop), 2);

bytes32 digest = airdrop.getMessageHash(alice); // uses balance=2

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, digest);

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s); // REVERTS

}

```

Run with: `forge test --match-test test_poc_LiveBalanceLockout -vvv`

Recommended Mitigation

Pass the committed `amount` as a parameter and verify it against the Merkle proof instead of reading the live balance:

```diff

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external nonReentrant

{

- uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

i_snow.safeTransferFrom(receiver, address(this), amount);

}

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!