Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect EIP-712 typehash rejects standard delegated claim signatures

spacerubberducky

Root + Impact

The delegated claim flow is intended to let a receiver sign an EIP-712 SnowmanClaim message so another caller can submit claimSnowman() on the receiver's behalf.

The issue is that MESSAGE_TYPEHASH is not the canonical type hash for the SnowmanClaim struct. It misspells address as addres and includes a space after the comma.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

The expected canonical EIP-712 type string is:

SnowmanClaim(address receiver,uint256 amount)

As a result, normal wallets and integrations that sign the intended typed data produce signatures that claimSnowman() rejects.

Risk

Likelihood

High. This occurs whenever a user signs the standards-compliant typed-data struct instead of reproducing the contract typo exactly. Normal EIP-712 tooling will use the canonical field type address, not addres.

Impact

Medium. The advertised delegated claim flow is broken for standard off-chain signers. A gas payer cannot claim on behalf of a receiver using a normal EIP-712 signature. Integrators must know and duplicate the typo to make signatures pass, which defeats the expected interoperability of EIP-712.

Proof of Concept

Add this test to test/SnowmanFindings.t.sol:

function testStandardsCompliantEip712SignatureIsRejected() public {

bytes32[] memory proof = _aliceProof();

bytes32 standardDigest = _standardDigest(alice, 1);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, standardDigest);

vm.prank(alice);

snow.approve(address(airdrop), 1);

vm.prank(gasPayer);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, proof, v, r, s);

}

Run:

forge test --match-test testStandardsCompliantEip712SignatureIsRejected -vv

The test passes. A canonical EIP-712 digest for SnowmanClaim(address receiver,uint256 amount) is signed by Alice, but claimSnowman() reverts with SA__InvalidSignature.

Recommended Mitigation

Use the canonical EIP-712 type string without the typo and without the extra space.

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Add a test that signs the canonical EIP-712 struct and confirms claimSnowman() accepts it.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 22 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!