Missing nonce and deadline in signature verification allows replay attacks
Description
The claimSnowman function uses ECDSA signatures but has no nonce or deadline checks.
Lines 69-79 show signature verification without nonce or deadline. Signatures can be replayed and never expire.
Risk
Likelihood: Medium — Anyone with a valid signature can replay it
Impact: Medium — Users can claim multiple times; signatures valid forever
Proof of Concept
User generates valid signature for their claim
User claims once, receives NFTs
User uses the SAME signature to claim again
Claim succeeds again (no nonce)
Signature remains valid forever (no deadline)
Recommended Mitigation
Add nonce mapping:
mapping(address => uint256) public noncesAdd deadline parameter to function
Include nonce and deadline in signed message hash
Check
block.timestamp < deadlineIncrement nonce after each use
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.