Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

EIP-712 `MESSAGE_TYPEHASH` typo breaks signature claims for standard signers

rayair

Root + Impact

Description

claimSnowman lets a third party claim on a recipient's behalf using an EIP-712 signature, which means any standard signer (wallet, ethers, viem) must be able to produce a valid signature.
The MESSAGE_TYPEHASH string has a typo (addres instead of address, plus a non-canonical space), so the contract's digest differs from the one any compliant signer computes.

```solidity

@> bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

// ^ typo "addres" + non-canonical spacing

```

Risk

Likelihood:

Occurs for every signature produced by any EIP-712-compliant tool, since they all use the correct type string address receiver,uint256 amount.
Only a custom signer that reproduces the exact buggy string can pass, which no standard wallet does.

Impact:

The "claim on behalf via v, r, s" feature is unusable with standard tooling — valid signatures are rejected.
Core advertised functionality is broken for all conforming integrations.

Proof of Concept

Self-contained Foundry test. Run: `forge test --match-test test_M2_StandardEip712SignatureRejected -vvv`

```solidity

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

contract M2 is Test {

Snow snow; Snowman nft; SnowmanAirdrop airdrop; MockWETH weth;

address alice; uint256 aliceKey;

function setUp() public {

(alice, aliceKey) = makeAddrAndKey("alice");

weth = new MockWETH();

snow = new Snow(address(weth), 1, makeAddr("collector"));

nft = new Snowman("ipfs://svg");

airdrop = new SnowmanAirdrop(bytes32(uint256(1)), address(snow), address(nft));

// give alice a non-zero balance so getMessageHash does not revert

vm.deal(alice, 1e18);

vm.prank(alice);

snow.buySnow{value: 1e18}(1);

}

function test_M2_StandardEip712SignatureRejected() public {

// Build the CORRECT EIP-712 digest, exactly as ethers/viem/a wallet would.

bytes32 DOMAIN_TYPEHASH =

keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)");

bytes32 domainSep = keccak256(abi.encode(

DOMAIN_TYPEHASH, keccak256(bytes("Snowman Airdrop")), keccak256(bytes("1")),

block.chainid, address(airdrop)

));

bytes32 correctTypehash = keccak256("SnowmanClaim(address receiver,uint256 amount)");

bytes32 structHash = keccak256(abi.encode(correctTypehash, alice, uint256(1)));

bytes32 correctDigest = keccak256(abi.encodePacked(hex"1901", domainSep, structHash));

// The contract's own digest (built from the typo'd typehash) differs:

assertTrue(correctDigest != airdrop.getMessageHash(alice));

// So a standard, correctly-produced signature is REJECTED by the contract:

bytes32[] memory emptyProof;

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, correctDigest);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, emptyProof, v, r, s);

}

```

**What it proves:** a signature created with the canonical EIP-712 type string (what every real wallet/library uses) does not match the contract's digest and is rejected with `SA__InvalidSignature`. The "claim on behalf" feature cannot be used by any standard signer.

Recommended Mitigation

``diff

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

```

**Why this fixes it:** the type string now matches the EIP-712 canonical encoding, so the digest computed on-chain equals the one any standard signer produces, and valid signatures verify.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!