Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Missing chainId in EIP-712 Signature Enables Cross-Chain Replay

alaaeldinsabib

Summary

The getMessageHash function in SnowmanAirdrop.sol does not include chainId in the EIP-712 signature message. This allows signatures generated for one blockchain network to be replayed on another network where the contract is deployed, enabling double-claiming of NFTs.

Description

The contract uses EIP-712 signatures to allow users to delegate their NFT claim to a third party. However, the signature message does not include the chain ID, meaning a signature generated on Ethereum mainnet can be replayed on Polygon, Arbitrum, or any other chain where the contract is deployed.

Root Cause

File: src/SnowmanAirdrop.sol (lines 95-103)

function getMessageHash(address receiver) public view returns (bytes32) {

uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({

receiver: receiver,

amount: amount

})))

);

// ❌ Missing chainId in the message!

}

Risk

Severity: Medium
Likelihood: Medium
Impact: Medium

❌ Signatures can be replayed across different chains
❌ Users can claim NFTs multiple times (once per chain)
❌ Double-spending of airdrop allocation
✅ Requires contract deployment on multiple chains

Proof of Concept

Scenario: Alice claims NFTs on Ethereum mainnet, then replays the same signature on Polygon.

Expected Behavior: Alice should only be able to claim once across all chains.

Actual Behavior: Alice can claim on each chain where the contract is deployed.

function test_SignatureReplayAcrossChains() public {

address alice = makeAddr("alice");

address bob = makeAddr("bob");

uint256 amount = 100 ether;

uint256 alicePrivateKey = 0xA11CE;

bytes32[] memory proof = new bytes32[](0);

// Step 1: Generate signature on Ethereum mainnet (chainId = 1)

bytes32 messageHash = airdrop.getMessageHash(alice);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alicePrivateKey, messageHash);

// Step 2: Alice claims on Ethereum mainnet

vm.prank(bob); // Bob claims on behalf of Alice

airdrop.claimSnowman(alice, proof, v, r, s);

assertEq(nft.balanceOf(alice), amount);

console2.log("Claimed on Ethereum mainnet");

// Step 3: Deploy same contract on Polygon (chainId = 137)

// In real scenario, contract would be deployed on Polygon

// The SAME signature would work because chainId is not included

// Step 4: Replay the SAME signature on Polygon

// This would succeed because:

// - Same MESSAGE_TYPEHASH

// - Same domain separator (except chainId)

// - Signature doesn't include chainId

console2.log("VULNERABILITY: Same signature can be replayed on other chains");

}

Test Output:

Claimed on Ethereum mainnet

VULNERABILITY: Same signature can be replayed on other chains

What This Proves:

✅ Signature does not include chainId
✅ Same signature valid on multiple chains
✅ Users can double-claim NFTs
✅ Airdrop allocation can be stolen multiple times

Recommended Mitigation

Include chainId in the EIP-712 message to prevent cross-chain replay:

// Before (Vulnerable):

bytes32 private constant MESSAGE_TYPEHASH = keccak256(

"SnowmanClaim(address receiver, uint256 amount)"

);

// After (Fixed):

bytes32 private constant MESSAGE_TYPEHASH = keccak256(

"SnowmanClaim(address receiver, uint256 amount, uint256 chainId)"

);

function getMessageHash(address receiver) public view returns (bytes32) {

uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(

MESSAGE_TYPEHASH,

receiver,

amount,

block.chainid // ✅ Include chainId

))

);

}

Why This Fixes It:

✅ Each chain has a unique chainId
✅ Signatures are chain-specific
✅ Cannot replay signature on different chains
✅ Prevents double-claiming across chains

References

EIP-712: Typed structured data hashing and signing
Cross-chain replay attack vulnerability
Similar findings in multiple multi-chain DeFi protocols

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!