Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: low
Valid

claimSnowman sets s_hasClaimedSnowman but never checks it, allowing replay claims that mint additional Snowman NFTs

bytethebuilder

Root + Impact

Description

claimSnowman writes the per-receiver claimed flag but never reads it, so the airdrop has no working replay protection:

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant {
if (receiver == address(0)) revert SA__ZeroAddress();
if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();
if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) revert SA__InvalidSignature();
uint256 amount = i_snow.balanceOf(receiver);
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();
i_snow.safeTransferFrom(receiver, address(this), amount);
@> s_hasClaimedSnowman[receiver] = true; // SET, but there is NO `if (s_hasClaimedSnowman[receiver]) revert;`
emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);
}

The only thing that incidentally limits a second claim is that the receiver's Snow balance is moved to the contract (so balanceOf == 0 afterwards). But the merkle leaf and signature are keyed on (receiver, amount) where amount = balanceOf(receiver) at call time. If the receiver re-acquires the airdrop amount of Snow (it is a transferable ERC20 - buy it, or receive it from anyone), the exact same proof and a fresh signature verify again, and claimSnowman mints another batch of Snowman NFTs. Because the claimed flag is never checked, this can be repeated indefinitely, minting unlimited Snowman NFTs from a single airdrop allocation.

Risk

Likelihood: Medium - requires re-acquiring the (transferable) Snow amount between claims, which is cheap and unrestricted; no privileged access needed.

Impact: High - unbounded minting of Snowman NFTs beyond the intended one-per-eligible-address, inflating the NFT supply and devaluing every legitimately-claimed Snowman.

Proof of Concept

Alice claims once; another holder sends her the same Snow amount; she claims again and ends up with TWO Snowman NFTs. Runnable Foundry test (add to TestSnowmanAirdrop.t.sol, reusing its proofs/keys):

function test_PoC_replayMintsAgain() public {
// Alice claims once
vm.prank(alice);
snow.approve(address(airdrop), type(uint256).max);
bytes32 d1 = airdrop.getMessageHash(alice);
(uint8 v1, bytes32 r1, bytes32 s1) = vm.sign(alKey, d1);
vm.prank(satoshi);
airdrop.claimSnowman(alice, AL_PROOF, v1, r1, s1);
assertEq(nft.balanceOf(alice), 1);
assertEq(snow.balanceOf(alice), 0); // her Snow was moved to the contract
// Alice re-acquires the same airdrop amount of Snow (bob simply sends her 1)
vm.prank(bob);
snow.transfer(alice, 1);
assertEq(snow.balanceOf(alice), 1);
// Same proof + a fresh signature over the same (receiver, amount) -> claim AGAIN
bytes32 d2 = airdrop.getMessageHash(alice);
(uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, d2);
vm.prank(satoshi);
airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2);
// replay succeeded: Alice now holds TWO Snowman NFTs from one allocation
assertEq(nft.balanceOf(alice), 2);
}

Run forge test --mt test_PoC_replayMintsAgain -vv; it passes - Alice minted a second Snowman because the claimed flag is never enforced.

Recommended Mitigation

Check the claimed flag at the start of claimSnowman (and add a dedicated error), so each receiver can claim at most once regardless of balance:

error SA__AlreadyClaimed();
function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant {
if (receiver == address(0)) revert SA__ZeroAddress();
if (s_hasClaimedSnowman[receiver]) revert SA__AlreadyClaimed(); // <-- enforce single claim
if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();
if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) revert SA__InvalidSignature();
uint256 amount = i_snow.balanceOf(receiver);
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();
s_hasClaimedSnowman[receiver] = true; // effects before interactions
i_snow.safeTransferFrom(receiver, address(this), amount);
emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);
}

Setting the flag (and reverting on repeat) before the external transfer/mint makes replay impossible even if the receiver re-acquires Snow.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

# Root + Impact &#x20; **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol  ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!