buySnow Resets a Global Cooldown Timer, Permanently Blocking earnSnow for All Users
Root + Impact
Description
The Snow contract allows users to acquire Snow tokens in two ways: by purchasing them with ETH or WETH via
buySnow() at any time during the farming period, or by calling earnSnow() once per week for free. The weekly
cooldown on earnSnow() is enforced by checking s_earnTimer, which is intended to prevent a single user from
earning free tokens more than once per week.s_earnTimer is a single contract-wide variable that is updated by both buySnow() and earnSnow(). Every call to
buySnow() resets the global cooldown, blocking every user in the protocol from calling earnSnow() for another
week — regardless of when they last earned. A griefer who calls buySnow() once per week spends only gas (and
receives a Snow token in return, making the attack near zero-cost) while permanently denying the free earn
mechanism to all other users.
Risk
Likelihood: High
Any user purchasing Snow tokens — even a single token — unconditionally resets the global timer, so the DoS
condition occurs as a side-effect of normal protocol usage, not just deliberate attacks.A deliberate griefer acquires 1 Snow token in exchange for each weekly reset, meaning the economic cost of the
attack approaches zero (gas only) and the griefer accumulates tokens as a byproduct.
Impact:
The free earnSnow() mechanism is rendered permanently non-functional for all users across the entire 12-week
farming period any time anyone purchases Snow tokens.Users who relied on the free weekly earn path to reach their Merkle-registered amount are unable to claim their
airdrop, effectively locking eligible recipients out of the protocol without any on-chain recourse.
Proof of Concept
Recommended Mitigation
Remove the timer update from buySnow() entirely — it has no functional purpose there since buySnow() imposes no
cooldown of its own. Additionally, replace the single global timer with a per-user mapping so that one user's
earn call does not affect another's:
uint256 private s_earnTimer;
mapping(address => uint256) private s_lastEarned;
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.