Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`Snowman.mintSnowman` has no access control — any caller mints unlimited NFTs

0xcr0w

Root + Impact

Description

  • The Snowman NFT is the airdrop reward: users are supposed to receive one Snowman per Snow token they stake, and the mint should be callable only by the SnowmanAirdrop contract.

  • mintSnowman(address, uint256) is declared external with no modifier, no onlyOwner, no allowlist. The custom error SM__NotAllowed is declared but never thrown — strong evidence the access-control modifier was forgotten.

// src/Snowman.sol
error SM__NotAllowed(); // @> declared but never used
@> function mintSnowman(address receiver, uint256 amount) external { // @> no modifier
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood:

  • Reason 1: The function is permissionless on a public address — every block any EOA or contract can call it directly.

  • Reason 2: No invariant elsewhere in the codebase blocks the call; the deploy script never wires Snowman ownership to the airdrop.

Impact:

  • Impact 1: Unlimited free minting of Snowman NFTs to any address — entire airdrop premise bypassed.

  • Impact 2: Permanent dilution of the NFT collection's supply and floor value; 100% loss to legitimate claimants.

Proof of Concept

The PoC simulates the weakest possible attacker: a brand-new EOA with no Snow balance, no Merkle proof, no signature, and no approvals — i.e., a wallet that should not be eligible for a single Snowman. The attacker calls mintSnowman directly on the deployed Snowman contract and asks for one million NFTs. The assertion that balanceOf(attacker) == 1_000_000 proves there is no economic gate at all on the mint path — every protection the airdrop layers on (Merkle, EIP-712, Snow burn) is sitting on a bypassable foundation.

function test_anyoneCanMintAllSnowmen() public {
address attacker = makeAddr("attacker");
vm.prank(attacker);
snowman.mintSnowman(attacker, 1_000_000);
assertEq(snowman.balanceOf(attacker), 1_000_000);
// No Snow staked, no signature, no Merkle proof — nothing.
}

Recommended Mitigation

The fix restores the missing invariant msg.sender == SnowmanAirdrop. Because Snowman is deployed before the airdrop in DeploySnowmanAirdrop.s.sol, the airdrop address cannot be set in Snowman's constructor without restructuring deployment. The cleanest approach is to add a constructor parameter and pre-compute the airdrop address (Foundry exposes vm.computeCreateAddress), or alternatively to add a one-shot owner-only setAirdrop setter. The patch below uses the constructor-parameter form, which is gas-cheapest and forecloses any later misconfiguration:

+ address public immutable i_airdrop;
+
+ constructor(string memory _SnowmanSvgUri, address _airdrop) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {
+ if (_airdrop == address(0)) revert SM__NotAllowed();
+ i_airdrop = _airdrop;
+ s_SnowmanSvgUri = _SnowmanSvgUri;
+ }
+
+ modifier onlyAirdrop() {
+ if (msg.sender != i_airdrop) revert SM__NotAllowed();
+ _;
+ }
+
- function mintSnowman(address receiver, uint256 amount) external {
+ function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Follow-up: update DeploySnowmanAirdrop.s.sol to pre-compute the airdrop address (e.g., vm.computeCreateAddress(deployer, nonce + 2)) and pass it into new Snowman(...).

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!