Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing replay protection enables infinite claiming of NFTs via ECDSA Signature Replay

hxsirago

Root + Impact

Description

Normal behavior requires that once a user claims their an airdrop via cryptographic signature in the claimSnowman function, that same signature cannot be used again to claim more tokens.

However, the signature digest only incorporates the receiver and amount, omitting a non-reusability element (like a nonce). Furthermore, while s_hasClaimedSnowman[receiver] is set to true, the contract never actively checks this mapping to ensure the user hasn't already claimed.

// Missing check: require(!s_hasClaimedSnowman[receiver], "Already claimed");
// ...
@> i_snow.safeTransferFrom(receiver, address(this), amount);
@> s_hasClaimedSnowman[receiver] = true;
emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);

Risk

Likelihood:

  • This will occur repeatedly if a user ever replenishes their Snow token balance through trading/purchasing, allowing an attacker (or the user themselves) to broadcast the old valid signature again.

Impact:

  • A user or attacker can replay a valid signature infinitely, transferring newly acquired Snow tokens to the contract and minting additional Snowman NFTs beyond their allowed one-time claim.

  • The state checking mechanism s_hasClaimedSnowman is completely bypassed, breaking the single-claim security model.

Proof of Concept

This proof of concept demonstrates the ability to execute a signature replay attack. The test creates a legitimate scenario where Alice claims her allowed airdrop amount using a valid ECDSA signature, receiving her initial NFT. Following this, she purchases an equivalent amount of Snow tokens from the open market. She then broadcasts the exact same cryptographic signature and Merkle proof as her first transaction. Because the contract does not verify s_hasClaimedSnowman[receiver] and the signature contains no one-time nonce, the replay execution succeeds, draining her newly bought Snow tokens and illicitly minting her a second NFT.

function test_AirdropReplayAttack() public {
// Set up Alice just like the test file
(address alice, uint256 alKey) = makeAddrAndKey("alice");
// We know from the official test file that this is Alice's proof
bytes32 alProofA = 0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52;
bytes32 alProofB = 0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;
bytes32 alProofC = 0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;
bytes32[] memory AL_PROOF = new bytes32[](3);
AL_PROOF[0] = alProofA; AL_PROOF[1] = alProofB; AL_PROOF[2] = alProofC;
// Let's ensure Alice has enough balance. The Helper script gives her 1 Snow token originally.
uint256 amountToClaim = 1;
vm.startPrank(alice);
snow.approve(address(airdrop), type(uint256).max);
bytes32 alDigest = airdrop.getMessageHash(alice);
(uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest);
// Alice Claims first time
airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS);
assertEq(nft.balanceOf(alice), amountToClaim);
console2.log("Alice claimed the first time. NFT Balance:", nft.balanceOf(alice));
// Alice balance was burnt to the airdrop contract.
// She buys exact same amount of snow back with ETH
uint256 fee = snow.s_buyFee() * amountToClaim;
vm.deal(alice, fee);
snow.buySnow{value: fee}(amountToClaim);
// Alice calls claim again with THE EXACT SAME PROOF AND SIGNATURE
airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS);
// NFT minted AGAIN!
assertEq(nft.balanceOf(alice), amountToClaim * 2);
console2.log("Alice successfully claimed TWICE! NFT balance:", nft.balanceOf(alice));
vm.stopPrank();
}

Recommended Mitigation

Recommended Mitigation: Add a verification check to enforce that an address can only claim the airdrop once, fully utilizing the s_hasClaimedSnowman mapping.

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
if (receiver == address(0)) {
revert SA__ZeroAddress();
}
if (i_snow.balanceOf(receiver) == 0) {
revert SA__ZeroAmount();
}
+ if (s_hasClaimedSnowman[receiver]) {
+ revert SA__AlreadyClaimed();
+ }
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 4 days ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol  ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!