Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Merkle leaf in claimSnowman() is computed from the receiver's live token balance rather than the snapshotted amount, making all proofs permanently invalid after any token movement

cybervikink

Root + Impact

Description

The Merkle tree is built by SnowMerkle.s.sol with fixed snapshot amounts (e.g., all 5 users have amount = 1 in input.json). The claim function then reconstructs the leaf using the live balance:

function claimSnowman(...) external nonReentrant {
// ...
// @> amount is read from CURRENT live balance, not the snapshotted value
uint256 amount = i_snow.balanceOf(receiver);
// @> Leaf is built from the live balance — will diverge from snapshot leaf
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
// @> Proof will fail if live balance != snapshotted balance
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert SA__InvalidProof();
}
// @> Transfers the LIVE balance, not the snapshotted amount
i_snow.safeTransferFrom(receiver, address(this), amount);
// ...
}

Risk

Likelihood:

  • Any user who receives Snow tokens from any source after the Merkle snapshot is taken will have a live balance that differs from the snapshot value, causing proof failure.

  • Normal protocol usage (buying Snow or earning it weekly after snapshot) automatically breaks the claim for that user.

  • Users who transfer Snow tokens to another wallet for any reason lose their ability to claim forever.

Impact:

  • Large portions of the airdrop become permanently uncollectable without redeploying the contract with a new Merkle root.

  • Users who accumulate more Snow than their snapshot amount cannot claim — locked out despite being eligible.

  • Protocol integrity is broken: the claimed NFT count is driven by live balance rather than the agreed snapshot, creating unpredictable claim amounts.

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test} from "forge-std/Test.sol";
import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";
import {Snow} from "../src/Snow.sol";
import {Helper} from "../script/Helper.s.sol";
contract LiveBalanceMerklePoC is Test {
// Alice's data from output.json (snapshot amount = 1)
bytes32 constant AL_PROOF_A = 0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52;
bytes32 constant AL_PROOF_B = 0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;
bytes32 constant AL_PROOF_C = 0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;
function testBalanceChangeMakesProofInvalid() public {
Helper helper = new Helper();
(SnowmanAirdrop airdrop, Snow snow,,) = helper.run();
address alice = makeAddr("alice");
// Alice currently has 1 Snow (from Helper.run() earnSnow)
// Alice earns one more Snow token (simulating normal usage after snapshot)
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
snow.earnSnow(); // alice now has 2 Snow tokens
assertEq(snow.balanceOf(alice), 2); // Balance changed from snapshot value of 1
// Alice tries to claim with her valid Merkle proof (built for amount=1)
bytes32[] memory proof = new bytes32[](3);
proof[0] = AL_PROOF_A;
proof[1] = AL_PROOF_B;
proof[2] = AL_PROOF_C;
// Need valid sig — skipped here for brevity, but the Merkle check fires first
// The leaf is computed with amount=2 but the tree has leaf for amount=1
// MerkleProof.verify will return false -> SA__InvalidProof
vm.prank(alice);
// (v,r,s omitted — proof check fires before sig check in this flow since
// sig check is before proof check, but both would fail)
vm.expectRevert(); // SA__InvalidProof or SA__InvalidSignature
airdrop.claimSnowman(alice, proof, 0, bytes32(0), bytes32(0));
}
}

Recommended Mitigation

Pass the snapshotted amount as an explicit parameter to claimSnowman(). Use that parameter for both the leaf computation and the token transfer. The live balance check can remain as a minimum balance guard if desired:

function claimSnowman(
address receiver,
uint256 snapshotAmount, // @> Add explicit snapshot amount
bytes32[] calldata merkleProof,
uint8 v, bytes32 r, bytes32 s
) external nonReentrant {
if (receiver == address(0)) revert SA__ZeroAddress();
if (snapshotAmount == 0) revert SA__ZeroAmount();
// Optional: ensure user still holds at least snapshotAmount
if (i_snow.balanceOf(receiver) < snapshotAmount) revert SA__ZeroAmount();
if (!_isValidSignature(receiver, getMessageHash(receiver, snapshotAmount), v, r, s)) {
revert SA__InvalidSignature();
}
// @> Leaf uses the fixed snapshot amount — stable and reproducible
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, snapshotAmount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {
revert SA__InvalidProof();
}
// @> Transfer exactly the snapshotted amount
i_snow.safeTransferFrom(receiver, address(this), snapshotAmount);
s_hasClaimedSnowman[receiver] = true;
emit SnowmanClaimedSuccessfully(receiver, snapshotAmount);
i_snowman.mintSnowman(receiver, snapshotAmount);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.&#x20; ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!