Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

EIP-712 typehash has a one-letter typo

truegav

EIP-712 typehash has a one-letter typo

Root + Impact

The SnowmanAirdrop contract uses EIP-712 typed data signing for its claimSnowman signature verification. The TYPEHASH constant encodes the struct type signature and is used to compute the digest that users sign off-chain. Standard EIP-712 libraries like ethers.js generate the typehash from the Solidity struct definition, using the canonical type string.

The constant on line 49 has a one-letter typo -- "addres" instead of "address" -- producing a different keccak256 hash from any standard library. Consequently, the digest computed by the contract for verification does not match the digest produced by compliant off-chain signers. Signatures signed with standard EIP-712 tooling always fail SA__InvalidSignature.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Risk

Likelihood :

  • Any frontend using a standard EIP-712 library (ethers.js, viem, wallet SDKs) to construct the typed data for signing. These libraries generate the typehash from the struct definition, using "address" (the correct Solidity type).

  • Any third-party tool or block explorer attempting to decode or replay the signed data will compute a different hash and fail to reconstruct the original message.

Impact :

  • Signature verification always fails when users sign through standard wallet prompts -- the claim function is unusable with any compliant EIP-712 integration.

  • The only workaround is to bypass typed data signing entirely: call getMessageHash() off-chain via RPC and sign the raw hex digest with personal_sign. Wallets then display an opaque hash instead of human-readable claim parameters.

Proof of Concept

function test_TypehashTypoBreaksStandardEip712() public {
bytes32 actualDigest = airdrop.getMessageHash(alice);
bytes32 domainSeparator = keccak256(abi.encode(
keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),
keccak256(bytes("Snowman Airdrop")),
keccak256(bytes("1")),
block.chainid,
address(airdrop)
));
bytes32 correctStructHash = keccak256(abi.encode(
keccak256("SnowmanClaim(address receiver, uint256 amount)"),
alice, 1
));
bytes32 correctDigest = keccak256(abi.encodePacked("\\x19\\x01", domainSeparator, correctStructHash));
assertFalse(actualDigest == correctDigest);
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, correctDigest);
vm.prank(satoshi);
vm.expectRevert(bytes4(keccak256("SA__InvalidSignature()")));
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
}

Recommended Mitigation

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)");

Fix the typo: addres -> address.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!