Snowman Merkle Airdrop
AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Typo in MESSAGE_TYPEHASH makes all signatures invalid — airdrop completely unclaimed

hokidoki

Root + Impact

Description

  • The SnowmanAirdrop contract allows eligible users to claim Snowman NFTs by submitting a Merkle proof and an EIP-712 signature. The contract reconstructs the signed message digest using MESSAGE_TYPEHASH and verifies the signature matches the receiver address.

  • The issue is a typo in the MESSAGE_TYPEHASH constant: the word "address" is misspelled as "addres", causing the contract to compute a different hash than what any wallet would actually sign. Since EIP-712 type hashes must be byte-perfect matches, this mismatch means ECDSA.recover() will always return a wrong signer address, causing SA__InvalidSignature to revert on every single claim attempt.

bytes32 private constant MESSAGE_TYPEHASH =
@> keccak256("SnowmanClaim(addres receiver, uint256 amount)");
// @> "addres" should be "address"// Correct: keccak256("SnowmanClaim(address receiver, uint256 amount)")

The claimSnowman() function uses this hash to build the digest:

function _isValidSignature(address signer, bytes32 digest, uint8 v, bytes32 r, bytes32 s)
internal pure returns (bool) {
(address actualSigner,,) = ECDSA.tryRecover(digest, v, r, s);
return (actualSigner == signer); // always false — digest built with wrong typehash
}

Risk

Likelihood:

  • This bug is triggered on every call to claimSnowman() without exception, for every user.

  • No special conditions are required — it is deterministically broken from deployment.

Impact:

  • The entire airdrop is permanently non-functional. No user can ever claim their Snowman NFT.

  • All airdrop allocations are permanently locked — no Snowman NFT will ever be minted through this function.

  • The protocol's core feature is completely and irreversibly broken until redeployed.

Proof of Concept

  1. Operator deploys SnowmanAirdrop with a valid Merkle root\

  2. Alice is in the Merkle tree with amount = 1\

  3. Alice's wallet signs the correct EIP-712 message using type string: "SnowmanClaim(address receiver, uint256 amount)"\

  4. Alice calls claimSnowman(1, proof, aliceAddress, v, r, s)\

  5. Contract computes typehash using "SnowmanClaim(addres receiver, uint256 amount)" — produces different bytes32\

  6. Digest is different → ECDSA.recover() returns wrong address → actualSigner != aliceAddress\

  7. Reverts with SA__InvalidSignature — Alice cannot claim\

  8. Same result for every user, every time, with any valid signature

    To verify: compute both hashes:

keccak256("SnowmanClaim(addres receiver, uint256 amount)")
// vs
keccak256("SnowmanClaim(address receiver, uint256 amount)")
// They are different — proves signatures will never verify

Recommended Mitigation

- keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ keccak256("SnowmanClaim(address receiver, uint256 amount)");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!