SnowmanAirdrop::claimSnowman never reads s_hasClaimedSnowman - eligible address can claim repeatedly
Root + Impact
Description
-
The airdrop is meant to be claimable once per eligible address;
s_hasClaimedSnowman[receiver]exists to enforce that one-claim invariant. -
claimSnowmanassignss_hasClaimedSnowman[receiver] = truebut never reads it in anyrequire/ifguard. The only place the mapping is read is theviewgettergetClaimStatus, which gates nothing. The write is therefore dead and the one-claim-per-address invariant is unenforced.
```solidity
// src/SnowmanAirdrop.sol
@> s_hasClaimedSnowman[receiver] = true; // written here...
// ...but no if (s_hasClaimedSnowman[receiver]) revert(...) ever guards claimSnowman
```
A guard that reads the flag before acting is missing entirely, so the same address can pass the Merkle + signature checks again and re-claim.
Risk
Likelihood:
-
Occurs when a claimed address re-acquires its Merkle-snapshot Snow amount (for example via
buySnow) after the first claim drains its balance, then re-submits the same Merkle proof with a fresh signature. -
The Merkle leaf stays valid because the snapshot amount is unchanged, and no code path blocks the second call, so the replay succeeds deterministically.
Impact:
-
An eligible address mints Snowman NFTs multiple times, far beyond its entitlement.
-
Airdrop integrity is broken — the supply issued is no longer bounded by the eligibility snapshot (replay / double-claim).
Proof of Concept
The receiver claims once (balance drains to zero, getClaimStatus becomes true), re-acquires the snapshot amount, signs again, and re-submits the same proof — the second claim still succeeds:
```solidity
function test_double_claim_via_restake() public {
// first claim succeeds, receiver's Snow balance -> 0
vm.prank(receiver);
airdrop.claimSnowman(receiver, proof, v1, r1, s1);
assertTrue(airdrop.getClaimStatus(receiver)); // already marked "claimed"
}
```
Because s_hasClaimedSnowman is never checked, the "already claimed" status set by the first call has no effect on the second.
Recommended Mitigation
Read the flag at the top of claimSnowman and revert when it is already set:
```diff
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external {
-
if (s_hasClaimedSnowman[receiver]) revert SA__AlreadyClaimed();// ...existing Merkle proof + signature checks...s_hasClaimedSnowman[receiver] = true;// ...mint...}
```
Lead Judging Commences
[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman
# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.