Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

`Snow::buySnow` allows `amount = 0` enabling free griefing of global earn timer

cymans

Root + Impact

Description

The buySnow function has no check for amount == 0.
When called with amount = 0: the fee calculation is s_buyFee * 0 = 0, which matches msg.value = 0, so the if branch executes. _mint(msg.sender, 0) mints nothing. But s_earnTimer = block.timestamp still runs.
Combined with the global s_earnTimer bug (H-02), this allows an attacker to permanently block all earnSnow() calls at zero cost.

// src/Snow.sol

function buySnow(uint256 amount) external payable canFarmSnow {

// @> no check for amount == 0

if (msg.value == (s_buyFee * amount)) { // @> 0 == fee * 0 => true

_mint(msg.sender, amount); // @> mints 0 tokens

} else {

i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));

_mint(msg.sender, amount);

}

s_earnTimer = block.timestamp; // @> timer reset for free

emit SnowBought(msg.sender, amount);

}

Risk

Likelihood:

Costs zero ETH and zero WETH to execute.
Can be automated to call every block, permanently blocking earnSnow.

Impact:

The earnSnow free minting mechanism is permanently disabled for all users.
Users are forced to buy Snow with ETH/WETH, removing the free participation path entirely.

Proof of Concept

The buySnow function accepts amount = 0 without any validation. When amount is zero, the fee calculation s_buyFee * 0 equals 0, which matches msg.value = 0. This means the if branch executes, _mint(msg.sender, 0) mints zero tokens, but critically, s_earnTimer = block.timestamp still runs. Since s_earnTimer is a global variable (see H-02), this resets the earn cooldown for every user in the system at absolutely zero cost.

Step-by-step attack scenario:

Attacker calls snow.buySnow{value: 0}(0). The fee is 0 * fee = 0, matching msg.value = 0.
Zero Snow tokens are minted to the attacker — no cost, no tokens received.
But s_earnTimer is updated to block.timestamp, resetting the global cooldown.
Any user calling earnSnow() within the next 7 days will get reverted with S__Timer.
The attacker repeats this call every time the timer expires (or even every block), permanently locking the earnSnow function for all users.
This attack costs only gas fees, making it extremely cheap to execute indefinitely.

function testBuyZeroGriefs() public {

address attacker = makeAddr("attacker");

address victim = makeAddr("victim");

// Step 1: Attacker calls buySnow(0) — costs zero ETH, zero WETH

vm.prank(attacker);

snow.buySnow{value: 0}(0);

// Step 2: Attacker received nothing — but timer is reset

assertEq(snow.balanceOf(attacker), 0);

// Step 3: Victim tries to earn — blocked by attacker's zero-cost call

vm.prank(victim);

vm.expectRevert(Snow.S__Timer.selector);

snow.earnSnow();

// Step 4: Even after waiting 1 week, attacker can repeat the grief

vm.warp(block.timestamp + 1 weeks + 1);

vm.prank(attacker);

snow.buySnow{value: 0}(0); // resets timer again for free

// Step 5: Victim is still blocked — this can go on forever

vm.prank(victim);

vm.expectRevert(Snow.S__Timer.selector);

snow.earnSnow();

}

Recommended Mitigation

Add a zero-amount validation at the beginning of buySnow. The contract already defines a S__ZeroValue() error which is suitable for this check. By rejecting amount == 0 early, the function prevents free timer resets and ensures that every buySnow call involves an actual token purchase with a real cost.

function buySnow(uint256 amount) external payable canFarmSnow {

+ if (amount == 0) {

+ revert S__ZeroValue();

+ }

if (msg.value == (s_buyFee * amount)) {

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users

## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!