Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Claim uses live `balanceOf(receiver)` as the Merkle amount — any post-snapshot balance change permanently bricks the claim

s4m0y3d

Root + Impact

Description

SnowmanAirdrop::claimSnowman reconstructs the Merkle leaf from the recipient's current Snow balance instead of a fixed entitlement committed in the tree. Because the tree is built from a one-time snapshot, any change to the recipient's balance after the snapshot makes the recomputed leaf fall outside the tree, so the proof fails and the recipient can never claim.

uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

Risk

Likelihood:

High (balance drift is the expected behavior of the system).

Impact:

Medium (loss of intended functionality / locked claims, no direct theft)Proof of Concept

Proof of Concept

## Proof of Concept

Alice is whitelisted at snapshot balance `1`. After deployment her balance drifts to `2` (bob sends her 1 Snow — equivalent to her calling `earnSnow()`/`buySnow()`). She signs honestly and submits her real whitelisted proof, yet the claim reverts and she ends with `0` NFTs.

Add this file as `test/PoC_LiveBalanceBricksClaim.t.sol` and run `forge test --match-contract PoC_LiveBalanceBricksClaim -vv`:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

import {Helper} from "../script/Helper.s.sol";

contract PoC_LiveBalanceBricksClaim is Test {

Snow snow; Snowman nft; SnowmanAirdrop airdrop; MockWETH weth;

// alice's proof from the official test suite — valid only for amount = 1.

bytes32[] AL_PROOF = [

bytes32(0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52),

bytes32(0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af),

bytes32(0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1)

];

address alice; uint256 alKey; address bob;

function setUp() public {

(airdrop, snow, nft, weth) = new Helper().run(); // alice balance == 1 (snapshot)

(alice, alKey) = makeAddrAndKey("alice");

bob = makeAddr("bob");

}

function test_balance_drift_bricks_legit_claim() public {

vm.prank(bob); snow.transfer(alice, 1); // balance 1 -> 2

vm.prank(alice); snow.approve(address(airdrop), type(uint256).max);

// alice signs honestly; digest/leaf now use amount = 2

(uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, airdrop.getMessageHash(alice));

vm.prank(bob);

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector); // proof is for amount 1

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

assertEq(nft.balanceOf(alice), 0); // legit recipient locked out

}

Recommended Mitigation

Commit the fixed entitlement `amount` in the leaf and pass it as an explicit calldata argument that is validated against the proof, instead of reading the live balance:

function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external {

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) revert SA__InvalidProof();

// require receiver to hold >= amount, transfer exactly `amount`, mint `amount`

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 9 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!