Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malformed EIP-712 `MESSAGE_TYPEHASH` in `SnowmanAirdrop` breaks "claim on behalf" for every standard signer

gondar

Malformed EIP-712 MESSAGE_TYPEHASH in SnowmanAirdrop breaks "claim on behalf" for every standard signer

Description

  • The README advertises that a recipient can have someone claim on their behalf using the recipient's v, r, s EIP-712 signature.

  • MESSAGE_TYPEHASH is derived from a malformed type string, so the digest the contract verifies does not match the EIP-712 digest any spec-compliant wallet or library produces.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Two violations of the EIP-712 encodeType rules:

  1. addres is a typo for address.

  2. The encoded type must contain no spaces; the correct string is SnowmanClaim(address receiver,uint256 amount).

Risk

Likelihood: High

  • Every recipient who signs with standard tooling (MetaMask / ethers / viem signTypedData) uses the correct type string and will produce a signature that fails verification. The bundled test only passes because it signs over the contract-produced digest with vm.sign, masking the bug.

Impact: Medium

  • The gasless / third-party claim feature is unusable with real wallets: signatures generated normally revert with SA__InvalidSignature, so no one can claim on another's behalf as designed.

Proof of Concept

The on-chain typehash hashes "SnowmanClaim(addres receiver, uint256 amount)", whereas a compliant signer hashes "SnowmanClaim(address receiver,uint256 amount)". These produce different MESSAGE_TYPEHASH values, hence different EIP-712 digests:

function test_M2_typehashMismatch() public pure {
bytes32 onChain = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
bytes32 standard = keccak256("SnowmanClaim(address receiver,uint256 amount)");
assert(onChain != standard); // any compliant wallet signature will fail to verify
}

Recommended Mitigation

Replace the malformed type string with the EIP-712 spec-compliant encodeType string. Per the spec, encodeType is name ‖ "(" ‖ member₁ ‖ "," ‖ member₂ ‖ ")", where each member is type ‖ " " ‖ name — i.e. exactly one space between a member's type and its name, a comma (no space) between members, and canonical Solidity type names (address, uint256). The current string violates two of these rules (addres is not a valid type name, and there are stray spaces after the commas/inside the member list).

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Why this is sufficient and complete:

  • getMessageHash already builds the struct hash correctly with abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))abi.encode of the struct lays out receiver then amount as two 32-byte words, which is the correct EIP-712 encodeData. So once MESSAGE_TYPEHASH is fixed, the on-chain digest matches what a compliant signer produces; no other change to the hashing logic is needed.

  • The EIP-712 domain is already correct: the constructor calls EIP712("Snowman Airdrop", "1"), so off-chain signers must use domain = { name: "Snowman Airdrop", version: "1", chainId, verifyingContract: <airdrop address> }.

  • The struct/member names are part of the hash, so the off-chain types must match exactly:

    // ethers v6 / viem signTypedData
    const types = {
    SnowmanClaim: [
    { name: "receiver", type: "address" },
    { name: "amount", type: "uint256" },
    ],
    };
    const value = { receiver, amount }; // amount = recipient's Snow balance at signing time

After fixing, re-verify with the contest's existing flow: TestSnowmanAirdrop::testClaimSnowman (which signs the contract-produced digest) must still pass, and a new test that signs via the standard types/domain above must now also pass — proving real wallet signatures are accepted.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!