Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control on NFT Minting Function

jamesmiller

CodeHawk Security Audit Submission

Vulnerability: Missing Access Control on NFT Minting Function

Severity: HIGH

Description

The mintSnowman() function in the Snowman contract is publicly callable with no access control. This allows any external caller to mint unlimited Snowman NFTs to arbitrary addresses, completely bypassing the Merkle tree verification in SnowmanAirdrop.

Vulnerability Details

Location

File: src/Snowman.sol
Function: mintSnowman(address receiver, uint256 amount) (line 36)

Issue

function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

The function is marked external with no access control modifiers or authorization checks. Any account can:

Call mintSnowman() directly
Mint any number of NFTs
Send NFTs to any address
Bypass the SnowmanAirdrop contract entirely

Root Cause

No access control check restricts who can call mintSnowman(). The contract has no reference to SnowmanAirdrop and implements no authorization mechanism.

Risk

Likelihood: Very High | Ease of Exploitation: Trivial | Privileges Required: None

Business Impact: Airdrop mechanism is nullified, destroying token scarcity and legitimacy. Intended recipients are harmed and project reputation is damaged.

Technical Impact: Attacker gains unlimited supply control; legitimate holders' NFTs are devalued to near-zero; tokens cannot be recalled from blockchain.

Impact

Unlimited NFT minting without merkle validation
Intended airdrop recipients receive nothing
Total supply becomes unbounded, destroying scarcity
Sybil attacks possible on any governance tied to NFT ownership

Proof of Concept

Direct Attack:

snowmanContract.mintSnowman(attackerAddress, 1000000);

Attacker instantly owns 1M NFTs without merkle proof or airdrop authorization.

Batch Distribution:

address[] memory targets = [addr1, addr2, addr3];

for (uint i = 0; i < targets.length; i++) {

snowmanContract.mintSnowman(targets[i], 500);

}

Attacker freely distributes tokens to sybil accounts.

Result: Legitimate recipients are blocked from claiming; merkle proof validation is worthless.

Recommended Mitigation

Implement access control to restrict minting to only the authorized SnowmanAirdrop contract.

Implementation

Add immutable airdrop reference:

address private immutable i_airdropContract;

Add access control modifier:

modifier onlyAirdrop() {

if (msg.sender != i_airdropContract) revert SM__NotAllowed();

}

Update constructor:

constructor(string memory _SnowmanSvgUri, address _airdropContract)

ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender)

{

if (_airdropContract == address(0)) revert SM__ZeroAddress();

s_TokenCounter = 0;

s_SnowmanSvgUri = _SnowmanSvgUri;

i_airdropContract = _airdropContract;

}

Apply modifier to mintSnowman():

function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Add getter:

function getAirdropContract() external view returns (address) {

return i_airdropContract;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!