Missing Zero-Amount Validation in buySnow Enables Timer Griefing
Summary
The buySnow function in Snow.sol does not validate that amount > 0. Calling the function with amount = 0 successfully executes, updates the global s_earnTimer, and emits an event without minting any tokens. This allows a malicious actor to grief legitimate users by repeatedly resetting the timer, blocking the earnSnow() free weekly claim mechanism for everyone.
Description
The buySnow function is intended to allow users to purchase Snow tokens. However, it lacks a check to ensure amount is greater than zero. When called with 0, the function still updates the global s_earnTimer to the current block timestamp. Since earnSnow() relies on this global timer to enforce the 1-week cooldown, an attacker can spam buySnow(0) to constantly refresh the timer, effectively DoS-ing the free earning feature for all users.
Root Cause
File: src/Snow.sol (lines 68-78)
Risk
Severity: Low
Likelihood: Medium
Impact: Low
❌ Allows griefing attack on
earnSnow()feature❌ Global timer can be reset continuously with minimal cost
Wastes gas for all participants
✅ Does not steal funds or mint tokens
Proof of Concept
Scenario: Attacker calls buySnow(0) repeatedly to block Alice from using earnSnow().
Expected Behavior: Calling buySnow with 0 should revert immediately.
Actual Behavior: The function succeeds, updates s_earnTimer, and blocks earnSnow() for 1 week.
Test Output:
What This Proves:
✅
buySnow(0)succeeds and updatess_earnTimer✅ Legitimate users are blocked from
earnSnow()✅ Low-cost griefing vector exists
Recommended Mitigation
Add a simple validation check at the start of the function:
Why This Fixes It:
✅ Prevents zero-amount transactions
✅ Stops timer griefing attacks
✅ Saves gas for users and the protocol
Lead Judging Commences
[L-02] Global Timer Reset in Snow::buySnow Denies Free Claims for All Users
## Description: The `Snow::buySnow` function contains a critical flaw where it resets a global timer `(s_earnTimer)` to the current block timestamp on every invocation. This timer controls eligibility for free token claims via `Snow::earnSnow()`, which requires 1 week to pass since the last timer reset. As a result: Any token purchase `(via buySnow)` blocks all free claims for all users for 7 days Malicious actors can permanently suppress free claims with micro-transactions Contradicts protocol documentation promising **"free weekly claims per user"** ## Impact: * **Complete Denial-of-Service:** Free claim mechanism becomes unusable * **Broken Protocol Incentives:** Undermines core user acquisition strategy * **Economic Damage:** Eliminates promised free distribution channel * **Reputation Harm:** Users perceive protocol as dishonest ```solidity function buySnow(uint256 amount) external payable canFarmSnow { if (msg.value == (s_buyFee * amount)) { _mint(msg.sender, amount); } else { i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount)); _mint(msg.sender, amount); } @> s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` ## Risk **Likelihood**: • Triggered by normal protocol usage (any purchase) • Requires only one transaction every 7 days to maintain blockage • Incentivized attack (low-cost disruption) **Impact**: • Permanent suppression of core protocol feature • Loss of user trust and adoption • Violates documented tokenomics ## Proof of Concept **Attack Scenario:** Permanent Free Claim Suppression * Attacker calls **buySnow(1)** with minimum payment * **s\_earnTimer** sets to current timestamp (T0) * All **earnSnow()** calls revert for **next 7 days** * On day 6, attacker repeats **buySnow(1)** * New timer reset (T1 = T0+6 days) * Free claims blocked until **T1+7 days (total 13 days)** * Repeat step **4 every 6 days → permanent blockage** **Test Case:** ```solidity // Day 0: Deploy contract snow = new Snow(...); // s_earnTimer = 0 // UserA claims successfully snow.earnSnow(); // Success (first claim always allowed) // Day 1: UserB buys 1 token snow.buySnow(1); // Resets global timer to day 1 // Day 2: UserA attempts claim snow.earnSnow(); // Reverts! Requires day 1+7 = day 8 // Day 7: UserC buys 1 token (day 7 < day 1+7) snow.buySnow(1); // Resets timer to day 7 // Day 8: UserA retries snow.earnSnow(); // Still reverts! Now requires day 7+7 = day 14 ``` ## Recommended Mitigation **Step 1:** Remove Global Timer Reset from `buySnow` ```diff function buySnow(uint256 amount) external payable canFarmSnow { // ... existing payment logic ... - s_earnTimer = block.timestamp; emit SnowBought(msg.sender, amount); } ``` **Step 2:** Implement Per-User Timer in `earnSnow` ```solidity // Add new state variable mapping(address => uint256) private s_lastClaimTime; function earnSnow() external canFarmSnow { // Check per-user timer instead of global if (s_lastClaimTime[msg.sender] != 0 && block.timestamp < s_lastClaimTime[msg.sender] + 1 weeks ) { revert S__Timer(); } _mint(msg.sender, 1); s_lastClaimTime[msg.sender] = block.timestamp; // Update user-specific timer emit SnowEarned(msg.sender, 1); // Add missing event } ``` **Step 3:** Initialize First Claim (Constructor) ```solidity constructor(...) { // Initialize with current timestamp to prevent immediate claims s_lastClaimTime[address(0)] = block.timestamp; } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.