Submission Details
Impact:
Likelihood:
Claim signature has no nonce or deadline
Root + Impact
Description
-
The claim signature authorizes minting for a recipient.
-
It contains no nonce and no deadline, so a captured signature has no expiry and no single-use guarantee at the signature layer (it is only indirectly limited by the balance going to zero).
```solidity
@> // getMessageHash hashes only (receiver, amount): no nonce, no deadline
keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))
```
Risk
Likelihood:
Occurs whenever a signature is reusable in a state where the recipient again holds a matching balance, or if the balance-based mitigation is altered.
Impact:
Replay surface and no ability to expire/cancel a signature; weakens the signature scheme's guarantees.
Proof of Concept
```text
Static review: getMessageHash / _isValidSignature include neither a per-receiver nonce
nor a deadline, so a signature is not bound to a single use or a time window.
```
Recommended Mitigation
```diff
- keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))
+ keccak256(abi.encode(MESSAGE_TYPEHASH, receiver, amount, nonces[receiver]++, deadline))
+ // and in claimSnowman: require(block.timestamp <= deadline, "expired");
```
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.