Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`Snowman::mintSnowman` lacks access control — anyone mints unlimited NFTs

rayair

Root + Impact

Description

The whole point of the protocol is that a Snowman NFT is earned: a user must acquire Snow (buy it with ETH/WETH via Snow::buySnow or earn it weekly via Snow::earnSnow), then go through SnowmanAirdrop::claimSnowman, which checks a Merkle proof of eligibility, verifies an EIP-712 signature, pulls (stakes) the user's Snow into the airdrop contract, and only then mints the corresponding Snowman NFTs. In other words, Snowman::mintSnowman is the single privileged "money-printing" function and is supposed to be callable only by SnowmanAirdrop.
However, mintSnowman is declared external with no access control whatsoever — no onlyOwner, no check that msg.sender == airdrop, nothing. Any externally-owned account or contract can call it directly, pass itself as receiver and any amount, and mint that many NFTs for free. Every eligibility check enforced by SnowmanAirdrop (Merkle proof, signature, staking of Snow) is completely bypassed because the caller never has to go through the airdrop at all.
This also breaks the implicit protocol invariant that Snowman.totalSupply() equals the amount of Snow staked through legitimate claims: an attacker can inflate the NFT supply arbitrarily without ever staking a single Snow token.

function mintSnowman(address receiver, uint256 amount) external {

@> // @audit no access control — ANY caller can mint, bypassing SnowmanAirdrop entirely

for (uint256 i = 0; i < amount; i++) {

@> _safeMint(receiver, s_TokenCounter); // free NFT, no Snow staked, no proof, no signature

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

1. The protocol is deployed; `SnowmanAirdrop` holds the Merkle root and is meant to be the only minter.

2. An attacker (who never bought or earned any `Snow`) calls `Snowman::mintSnowman(attacker, N)` directly with any `N`.

3. The loop mints `N` Snowman NFTs straight to the attacker. No `Snow` is staked, no proof or signature is checked.

4. The attacker repeats at will, minting the entire desired supply for free and, e.g., dumping the NFTs on a marketplace before legitimate claimers ever participate.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

The function is permissionless and always reachable, so any external account calls it at will.
The mint path requires no Snow balance, no Merkle proof and no signature, so any actor reaches it trivially.Likelihood:

Impact:

Unlimited free minting of Snowman NFTs, fully bypassing the buy/earn/stake/claim flow.
NFT supply and distribution become attacker-controlled, destroying the airdrop's integrity and value.

Proof of Concept

elf-contained Foundry test. Run: `forge test --match-test test_H1_AnyoneCanMintSnowmanForFree -vvv`

```solidity

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test} from "forge-std/Test.sol";

import {Snowman} from "../src/Snowman.sol";

contract H1 is Test {

Snowman nft;

address attacker = makeAddr("attacker");

function setUp() public {

nft = new Snowman("ipfs://svg"); // deployed exactly as in the protocol

}

function test_H1_AnyoneCanMintSnowmanForFree() public {

// The attacker owns no Snow, has no Merkle proof and no signature.

assertEq(nft.balanceOf(attacker), 0);

// He calls the unprotected mint function directly.

vm.prank(attacker);

nft.mintSnowman(attacker, 10);

// He now holds 10 Snowman NFTs, minted out of thin air.

assertEq(nft.balanceOf(attacker), 10);

}

```

**What it proves:** an arbitrary address (`attacker`) mints 10 NFTs with zero Snow, zero proof and zero signature, fully bypassing `SnowmanAirdrop`. The test passes, confirming the access-control gap is directly exploitable.

Recommended Mitigation

Restrict minting to the airdrop contract. Set the authorized minter once (immutable, in the constructor) and gate `mintSnowman` with a modifier:

```diff

+ error SM__NotAllowed();

+ address private immutable i_airdrop;

- constructor(string memory _SnowmanSvgUri) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {

+ constructor(string memory _SnowmanSvgUri, address _airdrop) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {

+ i_airdrop = _airdrop;

s_TokenCounter = 0;

s_SnowmanSvgUri = _SnowmanSvgUri;

}

+ modifier onlyAirdrop() {

+ if (msg.sender != i_airdrop) revert SM__NotAllowed();

+ _;

+ }

- function mintSnowman(address receiver, uint256 amount) external {

+ function mintSnowman(address receiver, uint256 amount) external onlyAirdrop {

for (uint256 i = 0; i < amount; i++) {

_safeMint(receiver, s_TokenCounter);

emit SnowmanMinted(receiver, s_TokenCounter);

s_TokenCounter++;

}

```

**Why this fixes it:** minting is now reachable only by `SnowmanAirdrop`, so every mint is gated behind the Merkle-proof + signature + staking checks. The deployment must wire the airdrop address into the Snowman constructor.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!