Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Global s_earnTimer Denial of Service (DoS) in Snow.sol

emokprime

Global `s_earnTimer` Denial of Service (DoS) in `Snow.sol`

Description

The Snow contract provides a "free" token earning mechanism called earnSnow(), which allows users to mint a small amount of Snow once a week. This is intended to encourage long-term participation and gradual token accumulation for everyone.
The s_earnTimer variable, which tracks the last time a token was earned, is a global state variable shared by all users instead of being stored in a mapping (e.g., mapping(address => uint256)). Any call to earnSnow() or buySnow() updates this global timestamp, resetting the 1-week cooldown for every single user in the protocol across the board.

// src/Snow.sol

92: function earnSnow() external canFarmSnow {

@> if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

@> s_earnTimer = block.timestamp;

}

Risk

Likelihood: High

Because buySnow() also updates the s_earnTimer global variable, an attacker can prevent any user from ever calling earnSnow() by simply buying a tiny amount of Snow (e.g., 1 wei) every 6 days.
This allows a malicious actor to permanently disable the "free" token mechanism for the entire community for the entire 12-week farming duration at a very low cost.

Proof of Concept

The following PoC shows how an attacker can block another user from earning their weekly free Snow token by resetting the global timer just before the user's cooldown would have expired.

// test/AuditPoC.t.sol

function test_globalTimerDoS() public {

// 1. User1 earns snow successfully

vm.prank(user1);

snow.earnSnow();

assertEq(snow.balanceOf(user1), 1);

// 2. User2 tries to earn snow immediately but fails (as expected under global timer but incorrect for per-user)

vm.prank(user2);

vm.expectRevert();

snow.earnSnow();

// 3. 6 days later, an attacker buys 1 wei of snow to reset the global timer

address attacker = makeAddr("attacker");

vm.deal(attacker, 10 ether);

vm.warp(block.timestamp + 6 days);

vm.prank(attacker);

snow.buySnow{value: 1 ether}(1); // Costing 1 ETH due to precision bug, but resets timer

// 4. 8 days since User1 earned, the 1-week cooldown should have passed

vm.warp(block.timestamp + 2 days);

// 5. User1 tries to earn, but the global timer was reset by the attacker 2 days ago

vm.prank(user1);

vm.expectRevert(); // Still reverts with S__Timer

console2.log("Attacker successfully blocked User1 from earning tokens");

}

Recommended Mitigation

Change the s_earnTimer from a single uint256 to a mapping(address => uint256) so that every user has their own independent cooldown period.

- uint256 private s_earnTimer;

+ mapping(address => uint256) private s_earnTimer;

function earnSnow() external canFarmSnow {

- if (s_earnTimer != 0 && block.timestamp < (s_earnTimer + 1 weeks)) {

+ if (s_earnTimer[msg.sender] != 0 && block.timestamp < (s_earnTimer[msg.sender] + 1 weeks)) {

revert S__Timer();

}

_mint(msg.sender, 1);

- s_earnTimer = block.timestamp;

+ s_earnTimer[msg.sender] = block.timestamp;

}

(Note: Also remove the s_earnTimer update from the buySnow() function to prevent purchasing from affecting the free earn cooldown).

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!