Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Balance-dependent Merkle leaves let token transfers invalidate valid claims

mythdd

Root + Impact

Description

Normal behavior: a whitelisted receiver with a valid Merkle proof should be able to claim their allocated Snowman NFTs. The allocation should be the amount committed in the Merkle tree.
The issue is that the contract does not accept the committed claim amount as calldata. Instead, it recomputes the Merkle leaf from the receiver's current Snow balance. Because Snow is a transferable ERC20, any balance change after the tree is generated changes the leaf and makes the original proof invalid. A third party can transfer extra Snow to a victim and force their claim to revert until they manually restore the exact snapshot balance.

function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external

nonReentrant

{

if (i_snow.balanceOf(receiver) == 0) {

revert SA__ZeroAmount();

}

if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {

revert SA__InvalidSignature();

}

// @> Uses mutable current balance instead of the amount committed in the Merkle tree.

uint256 amount = i_snow.balanceOf(receiver);

// @> Any transfer to or from receiver changes this leaf.

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

i_snow.safeTransferFrom(receiver, address(this), amount);

i_snowman.mintSnowman(receiver, amount);

}

Risk

Likelihood:

Snow is a normal ERC20, so any holder can transfer Snow to a whitelisted receiver without the receiver's consent.
Receivers also naturally change their own balances by earning, buying, or transferring Snow during the farming period.

Impact:

Valid whitelisted users can be blocked from claiming with their published Merkle proof.
The airdrop root becomes fragile because claims depend on live token balances rather than immutable snapshot allocations.

Proof of Concept

The test starts with Alice as a valid whitelisted receiver, then has an attacker transfer one extra Snow token to Alice. Alice's live balance no longer matches the amount committed in the Merkle tree, so the contract recomputes a different leaf and rejects Alice's otherwise valid proof.

function testExtraSnowInvalidatesMerkleProofForWhitelistedReceiver() public {

(SnowmanAirdrop airdrop, Snow snow,) = _deployAirdrop();

(address alice, uint256 aliceKey) = makeAddrAndKey("alice");

address attacker = makeAddr("attacker");

vm.warp(block.timestamp + 1 weeks);

vm.prank(attacker);

snow.earnSnow();

vm.prank(attacker);

snow.transfer(alice, 1);

assertEq(snow.balanceOf(alice), 2);

vm.prank(alice);

snow.approve(address(airdrop), 2);

bytes32 digest = airdrop.getMessageHash(alice);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, digest);

vm.expectRevert(SnowmanAirdrop.SA__InvalidProof.selector);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

}

Recommended Mitigation

Pass the snapshot allocation amount as calldata, sign that amount, verify that amount, and transfer exactly that amount.

- function claimSnowman(address receiver, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

+ function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s)

external

nonReentrant

{

- if (i_snow.balanceOf(receiver) == 0) {

+ if (amount == 0) {

revert SA__ZeroAmount();

}

- if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {

+ if (!_isValidSignature(receiver, getMessageHash(receiver, amount), v, r, s)) {

revert SA__InvalidSignature();

}

- uint256 amount = i_snow.balanceOf(receiver);

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount))));

if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) {

revert SA__InvalidProof();

}

i_snow.safeTransferFrom(receiver, address(this), amount);

i_snowman.mintSnowman(receiver, amount);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-01] DoS to a user trying to claim a Snowman

# Root + Impact ## Description * Users will approve a specific amount of Snow to the SnowmanAirdrop and also sign a message with their address and that same amount, in order to be able to claim the NFT * Because the current amount of Snow owned by the user is used in the verification, an attacker could forcefully send Snow to the receiver in a front-running attack, to prevent the receiver from claiming the NFT.  ```Solidity function getMessageHash(address receiver) public view returns (bytes32) { ... // @audit HIGH An attacker could send 1 wei of Snow token to the receiver and invalidate the signature, causing the receiver to never be able to claim their Snowman uint256 amount = i_snow.balanceOf(receiver); return _hashTypedDataV4( keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount}))) ); ``` ## Risk **Likelihood**: * The attacker must purchase Snow and forcefully send it to the receiver in a front-running attack, so the likelihood is Medium **Impact**: * The impact is High as it could lock out the receiver from claiming forever ## Proof of Concept The attack consists on Bob sending an extra Snow token to Alice before Satoshi claims the NFT on behalf of Alice. To showcase the risk, the extra Snow is earned for free by Bob. ```Solidity function testDoSClaimSnowman() public { assert(snow.balanceOf(alice) == 1); // Get alice's digest while the amount is still 1 bytes32 alDigest = airdrop.getMessageHash(alice); // alice signs a message (uint8 alV, bytes32 alR, bytes32 alS) = vm.sign(alKey, alDigest); vm.startPrank(bob); vm.warp(block.timestamp + 1 weeks); snow.earnSnow(); assert(snow.balanceOf(bob) == 2); snow.transfer(alice, 1); // Alice claim test assert(snow.balanceOf(alice) == 2); vm.startPrank(alice); snow.approve(address(airdrop), 1); // satoshi calls claims on behalf of alice using her signed message vm.startPrank(satoshi); vm.expectRevert(); airdrop.claimSnowman(alice, AL_PROOF, alV, alR, alS); } ``` ## Recommended Mitigation Include the amount to be claimed in both `getMessageHash` and `claimSnowman` instead of reading it from the Snow contract. Showing only the new code in the section below ```Python function claimSnowman(address receiver, uint256 amount, bytes32[] calldata merkleProof, uint8 v, bytes32 r, bytes32 s) external nonReentrant { ... bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(receiver, amount)))); if (!MerkleProof.verify(merkleProof, i_merkleRoot, leaf)) { revert SA__InvalidProof(); } // @audit LOW Seems like using the ERC20 permit here would allow for both the delegation of the claim and the transfer of the Snow tokens in one transaction i_snow.safeTransferFrom(receiver, address(this), amount); // send ... } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!