`Snow.earnSnow` uses a global timer — first weekly caller locks out every other user
Root + Impact
Description
-
The free weekly earn should be per-user: every wallet should be able to call
earnSnowonce per week. -
s_earnTimeris a single contract-wide variable, so the first caller in a week mints and resets the timer for everyone. Worse,buySnowalso writes the same timer, so a 1-wei buyer can deny all earners.
Risk
Likelihood:
-
Reason 1: A bot polling every block calls
earnSnow()(or even 1-weibuySnow) the moment the weekly window opens — every week, deterministically. -
Reason 2: There is no per-user state to override this behavior.
Impact:
-
Impact 1: Free Snow distribution is monopolized by one MEV-style caller; legitimate users cannot become eligible to claim Snowman NFTs.
-
Impact 2: The protocol's "earn for free once a week" promise is structurally unreachable for everyone but the fastest bot.
Proof of Concept
The PoC sequences two unrelated wallets, Alice and Bob, both attempting to use the free weekly earn within the same block. Alice goes first and mints her 1 Snow, which is the documented happy path. Bob immediately tries the same call — and instead of getting his own weekly mint, he reverts with S__Timer because Alice's block.timestamp was written to the global slot. This proves the timer is keyed wrong: the modifier semantically reads "anyone who tries to earn within a week of the most recent earn is blocked," which collapses the entire user base to a single-slot queue.
Recommended Mitigation
The fix replaces the single storage slot with a mapping(address => uint256) so each user has an independent cooldown. The cooldown check and the cooldown write both index by msg.sender, which restores the "once-per-user-per-week" invariant the modifier name implies. Additionally, the write inside buySnow is removed entirely — buying should not affect a wallet's free-earn cadence, since the two paths are economically independent (paying users get tokens immediately; free users wait 7 days).
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.