Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

EIP-712 MESSAGE_TYPEHASH is malformed (typo 'addres' + spaces), so signatures from standard wallets are rejected and eligible users cannot claim

bytethebuilder

Root + Impact

Description

The protocol authenticates claims with an EIP-712 signature, but the struct type string used to build MESSAGE_TYPEHASH is malformed:

@> bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Two problems vs the EIP-712 spec:

Typo: addres instead of address (the actual struct field type is address).
Whitespace: EIP-712 encodeType requires NO spaces - it must be SnowmanClaim(address receiver,uint256 amount). This string has a space after ( ... , between members.

EIP-712-compliant signers (MetaMask eth_signTypedData_v4, ethers/viem signTypedData, etc.) derive the type hash from the correct canonical encoding SnowmanClaim(address receiver,uint256 amount). That produces a different MESSAGE_TYPEHASH, hence a different structHash and a different final digest than the one getMessageHash() builds on-chain. So a signature a normal user creates with their wallet does NOT recover to receiver in _isValidSignature, and claimSnowman reverts with SA__InvalidSignature.

The contract is only self-consistent if the user signs the contract's own non-standard digest by hand (as the test does via vm.sign(key, airdrop.getMessageHash(...))). Real recipients using standard wallet tooling cannot produce a valid signature, so they cannot claim their airdrop - and since claimSnowman is the only way to receive a Snowman, the airdrop is effectively unclaimable through normal flows.

Risk

Likelihood: High - every recipient using a standard EIP-712 wallet/library (the expected flow, and the whole point of EIP-712) is affected.

Impact: Medium - core functionality (claiming) is broken for normal users; a legitimate, properly-intended signature is rejected, denying eligible users their airdrop (protocol DoS / failed delivery of value).

Proof of Concept

A signature over the correct EIP-712 digest (what a wallet produces) is rejected by claimSnowman. Runnable Foundry test (add to TestSnowmanAirdrop.t.sol):

function test_PoC_standardEip712SignatureIsRejected() public {

uint256 amount = snow.balanceOf(alice); // 1

// What a compliant wallet/library computes (correct type string, no typo, no spaces):

bytes32 CORRECT_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

bytes32 structHash = keccak256(abi.encode(CORRECT_TYPEHASH, alice, amount));

// Rebuild the contract's EIP-712 domain separator: EIP712("Snowman Airdrop", "1")

bytes32 domainSeparator = keccak256(

abi.encode(

keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),

keccak256(bytes("Snowman Airdrop")),

keccak256(bytes("1")),

block.chainid,

address(airdrop)

)

);

bytes32 correctDigest = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));

// Alice signs the CORRECT digest, exactly as her wallet would

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, correctDigest);

vm.prank(alice);

snow.approve(address(airdrop), amount);

// The contract uses the malformed typehash internally, so it rejects the valid signature

vm.prank(satoshi);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

}

Run forge test --mt test_PoC_standardEip712SignatureIsRejected -vv; it passes - a correctly-formed EIP-712 signature is rejected, so wallet users cannot claim.

Recommended Mitigation

Fix the type string to the exact EIP-712 canonical encoding (correct type, no spaces) so the on-chain typehash matches what wallets/libraries produce:

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

With the corrected typehash, getMessageHash() reconstructs the same digest standard EIP-712 signers produce, so legitimately-signed claims verify and recipients can claim. (Add a unit test that signs via the canonical EIP-712 encoding - not the contract's own helper - to catch this class of mismatch.)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!