Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Dynamic Amount Calculation in claimSnowman Causes Merkle Proof Verification Failure

alaaeldinsabib

Summary

The claimSnowman function in SnowmanAirdrop.sol calculates the amount dynamically using i_snow.balanceOf(receiver) instead of using a fixed amount from the signature or Merkle tree. If a user's token balance changes between signature generation and claim execution, the Merkle proof verification will fail, blocking legitimate claims.

Description

The Merkle tree is generated off-chain with fixed amounts for each user. However, during the claim process, the contract recalculates the amount based on the user's current balance. If the user transferred, bought, or sold any Snow tokens after signing but before claiming, the calculated leaf hash will not match the Merkle root, causing the transaction to revert.

Root Cause

File: src/SnowmanAirdrop.sol (lines 76-79)

function claimSnowman(...) external nonReentrant {

// ...

uint256 amount = i_snow.balanceOf(receiver); // ❌ Dynamic amount

bytes32 leaf = keccak256(bytes.concat(

keccak256(abi.encode(receiver, amount)) // Hash changes if balance changes

));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

// ...

}

Risk

Severity: Medium
Likelihood: High
Impact: Medium

❌ Legitimate users are blocked from claiming if their balance changes
❌ Causes Denial of Service (DoS) for the airdrop feature
❌ Poor user experience (confusing revert errors)
❌ Users must ensure their balance remains exactly the same until claim

Proof of Concept

Scenario: Alice signs the claim with 100 Snow tokens, then transfers 1 token before claiming.

Expected Behavior: Alice should be able to claim her 100 NFTs regardless of her current balance.

Actual Behavior: The claim fails because the contract checks her current balance (99) against the Merkle root (100).

function test_ClaimFailsIfBalanceChanges() public {

address alice = makeAddr("alice");

uint256 initialAmount = 100;

// 1. Alice has 100 tokens and generates a valid signature/proof

// (Setup mocked for brevity)

bytes32[] memory proof = getMockProof(alice, initialAmount);

(uint8 v, bytes32 r, bytes32 s) = getMockSignature(alice, initialAmount);

// 2. Alice transfers 1 token before claiming

vm.prank(alice);

snow.transfer(makeAddr("charlie"), 1);

assertEq(snow.balanceOf(alice), 99); // Balance changed!

// 3. Alice tries to claim

vm.prank(alice);

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);

airdrop.claimSnowman(alice, proof, v, r, s);

console2.log("VULNERABILITY: Claim failed because balance changed from 100 to 99");

}

Test Output:

Transaction reverted: SA__InvalidProof

VULNERABILITY: Claim failed because balance changed from 100 to 99

What This Proves:

✅ Amount is calculated dynamically from balance
✅ Any balance change invalidates the Merkle proof
✅ Legitimate users are blocked from claiming

Recommended Mitigation

Pass the amount as a parameter to the claimSnowman function and verify it against the signature and Merkle proof:

// Before (Vulnerable):

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant {

uint256 amount = i_snow.balanceOf(receiver); // ❌ Dynamic

// ...

}

// After (Fixed):

function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant {

// 1. Verify signature includes the exact amount

if (!_isValidSignature(receiver, getMessageHash(receiver, amount), v, r, s)) {

revert SA__InvalidSignature();

}

// 2. Verify Merkle proof with the exact amount

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

// 3. Ensure user has enough balance to cover the claim

if (i_snow.balanceOf(receiver) < amount) {

revert SA__InsufficientBalance();

}

i_snow.safeTransferFrom(receiver, address(this), amount);

s_hasClaimedSnowman[receiver] = true;

i_snowman.mintSnowman(receiver, amount);

}

Why This Fixes It:

✅ Amount is fixed at signature time
✅ Merkle proof verification is stable
✅ Balance check is done separately after verification

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!