Merkle leaf uses live `balanceOf` instead of snapshot amount — any inbound transfer voids the claim
Root + Impact
Description
Off-chain, the Merkle root is built from a frozen snapshot (
input.json: each whitelisted address mapped to a fixed amount).On-chain, the leaf is recomputed from the current
balanceOf, so a claim only verifies if the live balance exactly equals the snapshotted amount. Any inbound transfer (even 1 wei dust) shifts the leaf and breaks the proof.
Risk
Likelihood:
Reason 1: A griefer sends 1 wei of Snow to a pending claimer →
balanceOfbecomessnapshot + 1→ proof verification fails. Cost to griefer: 1 wei + gas.Reason 2: Whitelisted users naturally earn/buy/transfer Snow between snapshot time and claim time — mismatch is the default state.
Impact:
Impact 1: Permanent DoS of any user whose balance drifts from snapshot.
Impact 2: Cheap, repeatable griefing of any pending claim transaction.
Proof of Concept
The PoC starts in Alice's "happy path" state: her balance equals her snapshot amount, her signature and Merkle proof are valid against the published root. Before Alice's claim transaction is mined, an unrelated party (Bob, but anyone works) sends her 1 wei of Snow — a transfer Alice cannot refuse. The contract's leaf recomputation now uses amount = snapshot + 1, which is not in the Merkle tree, so verify returns false and the call reverts with SA__InvalidProof. The revert is what makes this a vulnerability rather than a UX nit: the receiver has no way to recover her position without first off-loading the dust to a different wallet, and a determined griefer can repeat the dust transfer every block.
Recommended Mitigation
The fix decouples the leaf identity from live state by passing the snapshotted amount in the function signature. Both the Merkle leaf and the signed digest are then computed from this user-supplied value rather than from balanceOf — making the proof immutable across balance drift. The safeTransferFrom call naturally reverts if the user doesn't actually hold amount Snow at claim time, so no integrity check is lost. This is the same pattern used by every major Merkle airdrop (Uniswap, Optimism, Arbitrum) for exactly this reason.
The signed SnowmanClaim struct must also include amount, and getMessageHash must take amount as a parameter (it already does in the struct — the helper just needs to stop deriving from balanceOf).
Lead Judging Commences
[M-01] DoS to a user trying to claim a Snowman
# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.