Competitive Audits
First Flights
Leaderboard
Docs
Toggle theme
Sign up
Log in
All First Flights
Snowman Merkle Airdrop
Submissions
AI First Flight
Snowman Merkle Airdrop
AI First Flight #10
Beginner Friendly
Foundry
Solidity
NFT
EXP
AI First Flight
EXP
May 16th, 2026 → May 16th, 2026
View repo
View results
10 / 10
Submissions
Severity
Validity
Tags
Author
#1
`Snowman.mintSnowman` has no access control — any caller mints unlimited NFTs
High
Valid
[H-01] Unrestricted NFT Min...
0xcr0w
#2
EIP-712 `MESSAGE_TYPEHASH` contains the typo `addres` — standards-compliant wallet signatures never verify
High
Valid
[H-02] Unconsistent `MESSAG...
0xcr0w
#3
Double-claim via Snow re-acquisition — `s_hasClaimedSnowman` is written but never read
Low
Valid
[L-01] Missing Claim Status...
0xcr0w
#4
Merkle leaf uses live `balanceOf` instead of snapshot amount — any inbound transfer voids the claim
Medium
Valid
[M-01] DoS to a user trying...
0xcr0w
#5
`Snow.earnSnow` uses a global timer — first weekly caller locks out every other user
Low
Valid
[L-02] Global Timer Reset i...
0xcr0w
#6
buySnow` exact-match check leaks ETH and double-charges users with non-zero WETH approval
High
Invalid
0xcr0w
#7
`_safeMint` ERC721 callback enables cross-contract reentrancy into Snowman during the mint loop
Medium
Invalid
0xcr0w
#8
`Snow.collectFee` ignores WETH `transfer` return value and forwards arbitrary force-pushed ETH
Medium
Invalid
0xcr0w
#9
`claimSnowman` is callable by anyone with the signature — relayer/replayer griefs timing and token approvals
Medium
Invalid
0xcr0w
#10
No `deadline` or `nonce` in the EIP-712 payload — signatures are valid forever and across redeployments with same domain
Medium
Invalid
0xcr0w
Previous
1
Next
Support
FAQs
Can't find an answer? Chat with us on Discord, Twitter or Linkedin.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
How do I get rewarded?
What is a First Flight?
Give us feedback!
