Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

# Missing Claim Check in `SnowmanAirdrop.sol` Allows Double Claiming

emokprime

Missing Claim Check in SnowmanAirdrop.sol Allows Double Claiming

Description

  • The SnowmanAirdrop.sol contract uses a Merkle tree to distribute NFTs to eligible users. Once a user has claimed their allotment, the contract should prevent them from claiming again to ensure the airdrop is fair and limited.

  • The claimSnowman function correctly sets the s_hasClaimedSnowman[receiver] = true state variable after a successful claim. However, it fails to check this state at the beginning of the function, allowing a user who has already claimed to successfully re-execute the claiming logic.

// src/SnowmanAirdrop.sol
69: function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
70: external
71: nonReentrant
72: {
@> // MISSING: if (s_hasClaimedSnowman[receiver]) revert SA__AlreadyClaimed();
// ... verify signature and proof ...
i_snow.safeTransferFrom(receiver, address(this), amount);
@> s_hasClaimedSnowman[receiver] = true;
emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);
}

Risk

Likelihood: High

  • A malicious user can claim their NFT allotment, then replenish their Snow token balance (by buying more or transferring from another account) and claim the exact same allotment again using the same Merkle proof and signature.

  • This allows users to "drain" the airdrop and mint far more NFTs than intended, as long as they can maintain the required Snow token balance at the time of each claim.

Proof of Concept

The following PoC demonstrates how a user can claim their Snowman NFT twice by simply buying more Snow tokens after the first claim.

// test/AuditPoC.t.sol
function test_doubleClaim() public {
// 1. Setup a receiver with a valid Merkle proof for 1 token
address receiver = vm.addr(0xabc);
uint256 amount = 1;
// ... setup Merkle root and proof (mocked in test setup) ...
// 2. User buys 1 Snow token and initiates the first claim
vm.prank(receiver);
snow.buySnow{value: 1 ether}(1);
vm.prank(receiver);
snow.approve(address(airdrop), 100);
// 3. User claims their first NFT
airdrop.claimSnowman(receiver, proof, v, r, s);
assertEq(snowman.balanceOf(receiver), 1);
assertEq(snow.balanceOf(receiver), 0);
// 4. User buys another Snow token to replenish their balance
vm.prank(receiver);
snow.buySnow{value: 1 ether}(1);
// 5. User successfully claims a SECOND NFT despite having already claimed once
airdrop.claimSnowman(receiver, proof, v, r, s);
assertEq(snowman.balanceOf(receiver), 2);
console2.log("Double claim successful: User received 2 NFTs with 1 allotment proof");
}

Recommended Mitigation

Add a requirement at the start of the claimSnowman function to check if the receiver has already claimed their allotment.

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
+ if (s_hasClaimedSnowman[receiver]) {
+ revert SA__AlreadyClaimed();
+ }
if (receiver == address(0)) {
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol  ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!