Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

### [L-1] `SnowmanAirdrop` EIP-712 typehash is malformed, so standards-compliant signatures are rejected

Description

The airdrop lets someone claim on a recipient's behalf using the recipient's EIP-712 signature. For this to work with normal wallets/tooling, the on-chain type hash must match the EIP-712 canonical type string.

The declared type string is malformed — "SnowmanClaim(addres receiver, uint256 amount)" — with a typo (addres) and spaces. It is not the canonical "SnowmanClaim(address receiver,uint256 amount)". As a result, any signature produced by a standards-compliant EIP-712 signer is rejected, because on-chain verification only accepts signatures over the malformed digest.

@> bytes32 private constant MESSAGE_TYPEHASH =
@> keccak256("SnowmanClaim(addres receiver, uint256 amount)"); // typo + spaces => wrong typehash

Risk

Likelihood: Medium

  • Every recipient who uses a standard wallet or library (MetaMask signTypedData, ethers/viem signTypedData) to sign their claim is affected — that is the normal, documented way to produce the signature.

Impact: Low

  • The on-behalf claim flow fails for compliant signatures; it only works if the signer manually reproduces the exact non-standard hash. No funds are lost, but a documented feature is broken and EIP-712 compliance is violated.

Proof of Concept

The test reconstructs the digest a compliant signer would produce (canonical type hash + the contract's own EIP-712 domain), signs it as alice, and shows claimSnowman reverts SA__InvalidSignature.

Run forge test --mt test_L1_eip712_canonical_signature_rejected -vvv:

function test_L1_eip712_canonical_signature_rejected() public {
uint256 amount = snow.balanceOf(alice); // 1
bytes32 canonicalTypehash = keccak256("SnowmanClaim(address receiver,uint256 amount)");
bytes32 structHash = keccak256(abi.encode(canonicalTypehash, alice, amount));
bytes32 canonicalDigest = _domainDigest(structHash);
assertTrue(canonicalDigest != airdrop.getMessageHash(alice)); // digests differ
(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, canonicalDigest);
vm.prank(alice); snow.approve(address(airdrop), 1);
vm.prank(satoshi);
vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); // canonical sig rejected
airdrop.claimSnowman(alice, AL_PROOF, v, r, s);
}
// digest = keccak(0x1901 || domainSeparator || structHash), using the contract's own domain
function _domainDigest(bytes32 structHash) internal view returns (bytes32) {
(, string memory name, string memory version, uint256 chainId, address vc,,) = airdrop.eip712Domain();
bytes32 domainTypeHash =
keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)");
bytes32 sep = keccak256(abi.encode(domainTypeHash, keccak256(bytes(name)), keccak256(bytes(version)), chainId, vc));
return keccak256(abi.encodePacked("\x19\x01", sep, structHash));
}

Result: PASS — a valid canonical EIP-712 signature by alice is rejected by claimSnowman.

Recommended Mitigation

Use the canonical EIP-712 type string:

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!