Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Dynamic balanceOf in Merkle leaf allows zero-cost permanent airdrop DoS via dust transfer

curiux

Root + Impact

claimSnowman builds its Merkle leaf and EIP-712 digest from i_snow.balanceOf(receiver) read live at claim time. The Merkle tree was built at deployment encoding each user's balance at that fixed point. Any change to the live balance — even +1 wei — produces a leaf that does not exist in the tree, permanently invalidating the user's proof. Because Snow.sol exposes no burn() to arbitrary users, the balance cannot be corrected without a third party to receive the excess, who the attacker can re-dust immediately.

A single bot sending 1 SNOW to each of the N eligible addresses permanently DoS's the entire airdrop at the cost of N × gas.

Description

Normal behaviour: Each eligible address holds its Merkle-committed SNOW allocation. To claim, the user presents a Merkle proof and an EIP-712 signature. The contract verifies both then transfers SNOW and mints a Snowman NFT.

The issue: Both checks re-read the live balance:

// SnowmanAirdrop.sol — getMessageHash
uint256 amount = i_snow.balanceOf(receiver); // live, not fixed
return _hashTypedDataV4(keccak256(abi.encode(MESSAGE_TYPEHASH,
SnowmanClaim({receiver: receiver, amount: amount}))));
// SnowmanAirdrop.sol — claimSnowman
uint256 amount = i_snow.balanceOf(receiver); // live, not fixed
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

Risk

Likelihood:

  • Requires no privileged access, no flash loan, no protocol knowledge beyond the eligible address list

  • Total attacker outlay: gas for N dust transfers (each transfer is 1 wei SNOW)

  • Attacker can re-dust any victim who self-rescues (transfers excess to a sink), making the race unwinnable

  • A single mempool bot executes the full attack atomically

Impact:

  • Every eligible address is permanently locked out of claiming

  • No on-chain recovery path exists — Snow.sol has no burn() for arbitrary users

  • Protocol must be fully redeployed to recover

  • All SNOW tokens already transferred into the contract by early claimers are permanently locked

Proof of Concept

// test/Audit.t.sol — test_poc_gap3_dustLockPermanentGriefing
// Run: forge test --match-test test_poc_gap3_dustLockPermanentGriefing -vvv
address attacker = makeAddr("attacker");
address[5] memory victims = [alice, bob, clara, dan, eli];
// Attack: 1 SNOW to each eligible address. Total cost: ~5 * gas.
for (uint256 i = 0; i < 5; i++) {
deal(address(snow), attacker, 1);
vm.prank(attacker);
snow.transfer(victims[i], 1); // victims[i].balance is now allocation + 1
}
// Failure mode A — sign after dust: SA__InvalidProof
bytes32 digest = airdrop.getMessageHash(alice); // H(alice, 2)
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, digest);
vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
// Failure mode B — use pre-dust sig: SA__InvalidSignature
// (getMessageHash now returns H(alice,2); sig was for H(alice,1))
vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);
airdrop.claimSnowman(alice, AL_PROOF, vPre, rPre, sPre);
// Escape attempt: alice transfers excess to a sink and re-signs
vm.prank(alice); snow.transfer(sink, 1); // balance restored to 1
bytes32 rescueDigest = airdrop.getMessageHash(alice);
(uint8 vR, bytes32 rR, bytes32 sR) = vm.sign(alKey, rescueDigest);
// Attacker re-dusts before tx lands
deal(address(snow), attacker, 1);
vm.prank(attacker); snow.transfer(alice, 1); // balance is 2 again
vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);
airdrop.claimSnowman(alice, AL_PROOF, vR, rR, sR); // stale sig, lost race

Recommended Mitigation

Replace the live balanceOf reads with a fixed amount parameter committed at tree-construction time and validated against the proof. The caller supplies the amount; the contract never reads the live balance.

function claimSnowman(
address receiver,
+ uint256 amount,
bytes32[] calldata merkleProof,
uint8 v, bytes32 r, bytes32 s
) external nonReentrant {
...
- if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();
+ if (amount == 0) revert SA__ZeroAmount();
- if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s))
+ if (!_isValidSignature(receiver, getMessageHash(receiver, amount), v, r, s))
revert SA__InvalidSignature();
- uint256 amount = i_snow.balanceOf(receiver);
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
...
}
- function getMessageHash(address receiver) public view returns (bytes32) {
- uint256 amount = i_snow.balanceOf(receiver);
+ function getMessageHash(address receiver, uint256 amount) public view returns (bytes32) {
return _hashTypedDataV4(
keccak256(abi.encode(MESSAGE_TYPEHASH,
SnowmanClaim({receiver: receiver, amount: amount}))));
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.&#x20; ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!