Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Typo in MESSAGE_TYPEHASH ("addres" instead of "address") breaks all claimSnowman signature verification

hackinghacked674

Root + Impact

Root: MESSAGE_TYPEHASH in SnowmanAirdrop.sol:49 contains a typo — "addres" instead of "address" — producing an incorrect keccak256 hash.

Impact: All calls to claimSnowman revert with SA__InvalidSignature, making it impossible for anyone (receiver or delegate) to claim Snowman NFTs through the airdrop mechanism.

Description

Recipients or delegates are expected to claim Snowman NFTs by calling SnowmanAirdrop::claimSnowman with a valid EIP-712 signature (v, r, s).
However, MESSAGE_TYPEHASH is defined with a typo — "addres" instead of "address". This causes getMessageHash() to produce a different digest than what standard EIP-712 tools (MetaMask, ethers.js, viem) generate. As a result, _isValidSignature always fails, and claimSnowman reverts for every user — both direct claimers and delegates.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(@> addres receiver, uint256 amount)");

// "addres" is missing an 's' — should be "address"

Risk

Likelihood:

Every call to claimSnowman passes through _isValidSignature, which uses the buggy typehash to compute the digest. This mismatch occurs on every invocation — no special conditions needed.

Impact:

No one can claim Snowman NFTs through SnowmanAirdrop::claimSnowman, rendering the airdrop contract completely non-functional.
Snow tokens lose their utility — users who purchased or earned Snow tokens cannot exchange them for NFTs, undermining the token economy.

Proof of Concept

The following tests demonstrate that:

The correct and buggy typehashes produce completely different keccak256 values
A signature created with the correct EIP-712 typehash is rejected by claimSnowman

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

import {Helper} from "../script/Helper.s.sol";

import {MessageHashUtils} from "@openzeppelin/contracts/utils/cryptography/MessageHashUtils.sol";

contract PoC_H2_TypehashTypo is Test {

Snow snow;

Snowman nft;

SnowmanAirdrop airdrop;

MockWETH weth;

Helper deployer;

bytes32 public ROOT = 0xc0b6787abae0a5066bc2d09eaec944c58119dc18be796e93de5b2bf9f80ea79a;

bytes32 alProofA = 0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52;

bytes32 alProofB = 0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;

bytes32 alProofC = 0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;

bytes32[] AL_PROOF = [alProofA, alProofB, alProofC];

address alice;

uint256 alKey;

// Correct EIP-712 typehash (note: "address" spelled correctly)

bytes32 constant CORRECT_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

// Buggy typehash used in the contract (note: "addres" — missing 's')

bytes32 constant BUGGY_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

function setUp() public {

deployer = new Helper();

(airdrop, snow, nft, weth) = deployer.run();

(alice, alKey) = makeAddrAndKey("alice");

}

function test_typehashesAreDifferent() public pure {

// Demonstrate that the two typehashes produce completely different values

assert(CORRECT_TYPEHASH != BUGGY_TYPEHASH);

console2.log("Correct typehash:");

console2.logBytes32(CORRECT_TYPEHASH);

console2.log("Buggy typehash (in contract):");

console2.logBytes32(BUGGY_TYPEHASH);

}

function test_correctSignatureReverts() public {

// ① Setup — alice has Snow tokens and approves airdrop

assertGt(snow.balanceOf(alice), 0, "Alice should have Snow tokens");

vm.prank(alice);

snow.approve(address(airdrop), snow.balanceOf(alice));

// ② Create signature using CORRECT EIP-712 typehash (what standard tools would produce)

uint256 amount = snow.balanceOf(alice);

bytes32 correctStructHash = keccak256(

abi.encode(CORRECT_TYPEHASH, alice, amount)

);

// Build the EIP-712 domain separator manually to match the contract's domain

bytes32 domainSeparator = keccak256(

abi.encode(

keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),

keccak256("Snowman Airdrop"),

keccak256("1"),

block.chainid,

address(airdrop)

)

);

bytes32 correctDigest = MessageHashUtils.toTypedDataHash(domainSeparator, correctStructHash);

// Alice signs with the correct digest

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, correctDigest);

// ③ Verify — claimSnowman reverts because contract uses buggy typehash

vm.prank(alice);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

// Alice still has no NFTs

assertEq(nft.balanceOf(alice), 0, "Alice should still have 0 NFTs");

console2.log("Claim with correct EIP-712 signature: REVERTED (as expected due to typo)");

}

Recommended Mitigation

Fix the typo in MESSAGE_TYPEHASH:

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!