Global `s_earnTimer` in `earnSnow()` allows a single griefer to permanently block all other users from free Snow
Root + Impact
Description
-
earnSnow()is designed to let each user earn 1 free Snow token once per week as a free participation path into the airdrop. -
s_earnTimeris a single contract-wide variable rather than a per-user mapping. Every time any user callsearnSnow(), the timer resets for the entire contract. A single griefer with a bot who callsearnSnow()each time the weekly cooldown expires continuously resets the global timer and permanently starves all other users, at a cost of only gas. SincebuySnow()requires WETH fees, this denial-of-service effectively shuts down participation for users who cannot or do not want to pay.
Risk
Likelihood:
-
A single griefer calling
earnSnow()at each weekly cooldown expiry is sufficient to lock out all other users indefinitely — the attack requires only consistent mempool monitoring and gas payments. -
The attack is economically rational for anyone who wants to suppress airdrop participation (e.g., to keep the NFT collection exclusive to a small group).
Impact:
-
The free Snow acquisition path is denied to all users except the griefer for as long as the griefer sustains the attack. The griefer must call once per week indefinitely, paying only gas each time. While not costless, weekly gas on a single
earnSnow()call is negligible enough that a motivated attacker can sustain it for months. -
buySnow()exists as an alternative path but requires 5 ETH (WETH) per Snow token. The free path is a distinct design guarantee for users who cannot afford fees. Forcing all participation through the paid path defeats the protocol's accessibility model and is not a substitute for the intended free distribution.
Proof of Concept
Place this test in test/TestGlobalTimer.t.sol and run forge test --match-test testGrieferBlocksAllUsers.
Recommended Mitigation
Replace the global s_earnTimer variable with a mapping(address => uint256) so each user's cooldown is tracked independently and one user cannot block another.
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.