Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

EIP-712 typehash typo ("addres" + extra space) breaks signature verification for any standards-compliant signer

cloebaxter4

Root + Impact

Description

The protocol uses EIP-712 typed data signing so wallets, frontends and other contracts can recover signatures over the SnowmanClaim struct in a standardised way.
MESSAGE_TYPEHASH contains a typo (addres instead of address) and an extra space, so the digest produced by this contract does not match the EIP-712 type encoding for SnowmanClaim(address receiver,uint256 amount). Any wallet or off-chain signer that hashes the struct correctly per EIP-712 produces a digest the contract rejects.

// src/SnowmanAirdrop.sol

@> bytes32 private constant MESSAGE_TYPEHASH =

@> keccak256("SnowmanClaim(addres receiver, uint256 amount)"); // @> typo + spacing

Risk

Likelihood:

Triggers for every signer who uses a standards-compliant EIP-712 signing path (MetaMask signTypedData_v4, ethers _signTypedData, viem, OZ's EIP712.sol, etc.).
The contract enforces its broken typehash on every claimSnowman() call.

Impact:

Recipients who sign with any standard wallet or library cannot claim — their signatures fail _isValidSignature, blocking the airdrop for non-custom signers.
Forces all integrators to hand-craft the malformed type string, breaking interoperability and risking phishing/UX issues (signed payload no longer human-readable as the documented struct).

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

contract PoC_TypehashTypo is Test {

function test_typehash_diverges_from_eip712() public pure {

bytes32 correct = keccak256("SnowmanClaim(address receiver,uint256 amount)");

bytes32 contract_ = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

assertTrue(correct != contract_);

}

forge test --match-contract PoC_TypehashTypo -vv → [PASS] (the two hashes differ).

Recommended Mitigation

Fix the type string so it matches the EIP-712 spec exactly: spell address, drop the extra space after the comma. The hash will then equal the digest produced by any standards-compliant signer, restoring interoperability with MetaMask, ethers, viem, etc.

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 9 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!