Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Eligibility amount uses live `balanceOf` — legitimate claimers get locked out

rayair

Root + Impact

Description

A recipient's airdrop amount is committed in the Merkle tree at a fixed snapshot, so claiming should validate against that snapshot value.
claimSnowman instead derives both the signed amount and the Merkle leaf from the current balance, so any change in the recipient's Snow balance after the snapshot makes the computed leaf no longer match the root.

```solidity

@> uint256 amount = i_snow.balanceOf(receiver); // live balance, not the snapshot amount

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

@> if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

```

Risk

Likelihood:

Occurs whenever an eligible recipient's balance differs from the snapshot, which happens under normal use since Snow is freely transferable, buyable (buySnow) and earnable (earnSnow).
Occurs for every recipient who acquires or moves any Snow between the snapshot and their claim.

Impact:

Legitimately eligible users can never claim their NFTs — the proof reverts with SA__InvalidProof.
Denial of service on legitimate participants under normal token activity.

Proof of Concept

Self-contained Foundry test (uses the `murky` lib in `lib/` to build a real tree). Run: `forge test --match-test test_M3_LiveBalanceBreaksClaim -vvv`

```solidity

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test} from "forge-std/Test.sol";

import {Merkle} from "murky/src/Merkle.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

contract M3 is Test {

Snow snow; Snowman nft; SnowmanAirdrop airdrop;

address alice; uint256 aliceKey;

function _leaf(address a, uint256 amt) internal pure returns (bytes32) {

return keccak256(bytes.concat(keccak256(abi.encode(a, amt)))); // exact contract format

}

function test_M3_LiveBalanceBreaksClaim() public {

(alice, aliceKey) = makeAddrAndKey("alice");

// Snapshot: alice is eligible for amount = 1 -> build the tree accordingly.

Merkle m = new Merkle();

bytes32[] memory leaves = new bytes32[](2);

leaves[0] = _leaf(alice, 1);

leaves[1] = _leaf(address(0xdEAD), 1);

bytes32 root = m.getRoot(leaves);

bytes32[] memory proof = m.getProof(leaves, 0);

snow = new Snow(address(new MockWETH()), 1, makeAddr("collector"));

nft = new Snowman("ipfs://svg");

airdrop = new SnowmanAirdrop(root, address(snow), address(nft));

// But alice now holds 2 Snow (she bought/earned more after the snapshot).

vm.deal(alice, 2e18);

vm.startPrank(alice);

snow.buySnow{value: 2e18}(2);

snow.approve(address(airdrop), type(uint256).max);

// Claim recomputes leaf = keccak(alice, 2) which is NOT in the tree (built for 1).

bytes32 digest = airdrop.getMessageHash(alice);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, digest);

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);

airdrop.claimSnowman(alice, proof, v, r, s);

vm.stopPrank();

}

```

**What it proves:** alice is genuinely eligible (her address is in the tree) and has a valid signature, but because her live balance (2) differs from the snapshot amount (1), the recomputed leaf no longer matches the root and her claim reverts with `SA__InvalidProof`. Normal token activity permanently locks eligible users out. *(A companion test `test_HappyPath_ClaimWorks` shows the claim succeeding when the balance equals the snapshot.)*

Recommended Mitigation

Commit the eligible `amount` in the Merkle tree and pass it as a parameter, instead of reading the live balance.

```diff

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external nonReentrant

{

...

- uint256 amount = i_snow.balanceOf(receiver);

+ require(i_snow.balanceOf(receiver) >= amount, "insufficient balance");

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

```

*(Also update `getMessageHash` to take `amount` so the signature commits to the snapshot value.)*

**Why this fixes it:** eligibility is bound to the immutable snapshot amount committed in the tree, so a user's claim no longer breaks when their live balance changes through normal use.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!