Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Malformed EIP-712 `MESSAGE_TYPEHASH` breaks signed claims with standard tooling

s4m0y3d

Root + Impact

Description

The EIP-712 type hash used to verify claim signatures is built from a malformed type string (a typo plus non-canonical spacing). Any wallet or library that constructs the digest from the correct struct definition produces a different digest, so the contract rejects every standards-compliant signature. The "claim on behalf using v, r, s" feature therefore cannot be used with normal signing tools.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

Two defects in the encodeType string:

1. **Typo:** `addres` instead of `address`.

2. **Non-canonical encoding:** EIP-712 requires no spaces between members — `SnowmanClaim(address receiver,uint256 amount)`.

The digest the contract computes in `getMessageHash` / `_hashTypedDataV4` therefore does not match the digest any EIP-712-compliant signer (ethers, viem, MetaMask `signTypedData`) computes from the real struct. `_isValidSignature` recovers a different address and reverts with `SA__InvalidSignature`. The flow only works if the off-chain signer deliberately reproduces this exact buggy type string.

Risk

Likelihood:

High (any standard signer hits it).

Impact:

Medium (a core advertised feature is broken).

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {Test, console2} from "forge-std/Test.sol";

import {Snow} from "../src/Snow.sol";

import {Snowman} from "../src/Snowman.sol";

import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";

import {MockWETH} from "../src/mock/MockWETH.sol";

import {Helper} from "../script/Helper.s.sol";

/// @notice PoC for M-2: the contract's MESSAGE_TYPEHASH is malformed:

/// keccak256("SnowmanClaim(addres receiver, uint256 amount)")

/// (typo "addres" + non-canonical spaces). A signature produced from the

/// CORRECT, EIP-712-canonical typehash — i.e. what any standard wallet /

/// ethers / viem signTypedData would generate — is therefore rejected.

contract PoC_MalformedTypehash is Test {

Snow snow;

Snowman nft;

SnowmanAirdrop airdrop;

MockWETH weth;

Helper deployer;

bytes32 alProofA = 0xf99782cec890699d4947528f9884acaca174602bb028a66d0870534acf241c52;

bytes32 alProofB = 0xbc5a8a0aad4a65155abf53bb707aa6d66b11b220ecb672f7832c05613dba82af;

bytes32 alProofC = 0x971653456742d62534a5d7594745c292dda6a75c69c43a6a6249523f26e0cac1;

bytes32[] AL_PROOF = [alProofA, alProofB, alProofC];

address alice;

uint256 alKey;

address satoshi;

// The canonical EIP-712 struct type hash a compliant signer would use.

bytes32 constant CORRECT_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

bytes32 constant DOMAIN_TYPEHASH =

keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)");

function setUp() public {

deployer = new Helper();

(airdrop, snow, nft, weth) = deployer.run();

(alice, alKey) = makeAddrAndKey("alice");

satoshi = makeAddr("gas_payer");

}

/// Rebuild the EIP-712 digest exactly as a standards-compliant signer would,

/// using the CORRECT type string, against this contract's domain.

function _correctDigest(address receiver, uint256 amount) internal view returns (bytes32) {

bytes32 domainSeparator = keccak256(

abi.encode(

DOMAIN_TYPEHASH,

keccak256(bytes("Snowman Airdrop")), // name set in SnowmanAirdrop constructor

keccak256(bytes("1")), // version

block.chainid,

address(airdrop)

)

);

bytes32 structHash = keccak256(abi.encode(CORRECT_TYPEHASH, receiver, amount));

return keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));

}

function test_standard_eip712_signature_is_rejected() public {

vm.prank(alice);

snow.approve(address(airdrop), type(uint256).max);

uint256 amount = snow.balanceOf(alice); // 1

// (A) A correct, EIP-712-canonical signature -> REJECTED by the contract.

bytes32 goodDigest = _correctDigest(alice, amount);

(uint8 v1, bytes32 r1, bytes32 s1) = vm.sign(alKey, goodDigest);

vm.prank(satoshi);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, AL_PROOF, v1, r1, s1);

assertEq(nft.balanceOf(alice), 0, "compliant signature was rejected");

// (B) Positive control: only a signature over the contract's OWN buggy

// digest is accepted. The two digests differ purely due to the typehash.

bytes32 buggyDigest = airdrop.getMessageHash(alice);

assertTrue(goodDigest != buggyDigest, "canonical vs malformed digests differ");

(uint8 v2, bytes32 r2, bytes32 s2) = vm.sign(alKey, buggyDigest);

vm.prank(satoshi);

airdrop.claimSnowman(alice, AL_PROOF, v2, r2, s2);

assertEq(nft.balanceOf(alice), 1, "only the malformed-typehash signature works");

console2.log("canonical digest :", vm.toString(goodDigest));

console2.log("contract digest :", vm.toString(buggyDigest));

}

Recommended Mitigation

Fix the type string so it matches the canonical EIP-712 definition — add the missing `d` and remove the space after the comma:

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 9 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!