Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`SnowmanAirdrop::claimSnowman` builds the Merkle leaf from live `balanceOf`, permanently locking out any eligible user whose balance changes after the snapshot

gondar

SnowmanAirdrop::claimSnowman builds the Merkle leaf from live balanceOf, permanently locking out any eligible user whose balance changes after the snapshot

Description

  • The Merkle tree is generated off-chain from a fixed snapshot (script/flakes/input.json, amount 1 per whitelisted user) and the root is committed at deployment.

  • claimSnowman builds the leaf from the recipient's current balanceOf instead of the snapshotted amount. The moment a whitelisted user's balance differs from the snapshot, the computed leaf no longer matches the tree and the claim reverts forever.

uint256 amount = i_snow.balanceOf(receiver); // live balance
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

Risk

Likelihood: High

  • Snow is freely earnable (earnSnow), buyable (buySnow), and transferable, so balances drift away from the snapshot almost immediately and through completely normal usage.

Impact: High

  • Any legitimate whitelisted user who earns, buys, or receives even one wei of Snow before claiming is permanently unable to claim (SA__InvalidProof), losing their entitled NFTs — a denial of service against eligible users.

Proof of Concept

function test_H2_liveBalanceLocksOutLegitUser() public {
// Alice is whitelisted for amount == 1. She earns 1 more Snow.
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
snow.earnSnow();
assertEq(snow.balanceOf(alice), 2); // snapshot said 1, live balance is now 2
vm.prank(alice);
snow.approve(address(airdrop), type(uint256).max);
bytes32 digest = airdrop.getMessageHash(alice); // built from amount = 2
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, digest);
// Her valid whitelist proof (for amount 1) no longer matches the leaf (for amount 2)
vm.prank(satoshi);
vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
}

Alice, a valid whitelisted user, can no longer claim; the test passes.

Recommended Mitigation

Bind the claim to the snapshotted amount (passed in and proven by the Merkle leaf) rather than live balance.

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)
external
nonReentrant
{
if (receiver == address(0)) revert SA__ZeroAddress();
if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();
if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) revert SA__InvalidSignature();
- uint256 amount = i_snow.balanceOf(receiver);
bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));
if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();
i_snow.safeTransferFrom(receiver, address(this), amount);
s_hasClaimedSnowman[receiver] = true;
emit SnowmanClaimedSuccessfully(receiver, amount);
i_snowman.mintSnowman(receiver, amount);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!