Snowman Merkle Airdrop

AI First Flight #10

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Misspelled EIP-712 type hash rejects standard wallet signatures

mythdd

Root + Impact

Description

Normal behavior: receivers should be able to sign a standard EIP-712 typed-data message for SnowmanClaim(address receiver,uint256 amount), and relayers should be able to submit that signature to claim on their behalf.
The issue is that the contract hashes SnowmanClaim(addres receiver, uint256 amount), where address is misspelled as addres and the type string also includes non-canonical spacing. Standard EIP-712 tools and wallets produce a different digest for the valid struct type, so signatures created with the expected typed-data schema are rejected by the contract.

struct SnowmanClaim {

address receiver;

uint256 amount;

}

// @> "address" is misspelled as "addres"; the canonical EIP-712 type string is not used.

bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

function getMessageHash(address receiver) public view returns (bytes32) {

if (i_snow.balanceOf(receiver) == 0) {

revert SA__ZeroAmount();

}

uint256 amount = i_snow.balanceOf(receiver);

return _hashTypedDataV4(

keccak256(abi.encode(MESSAGE_TYPEHASH, SnowmanClaim({receiver: receiver, amount: amount})))

);

}

Risk

Likelihood:

Wallets and frontend libraries encode typed data with the valid primitive type address, not the invalid primitive addres.
Every claim path calls _isValidSignature(receiver, getMessageHash(receiver), v, r, s), so all relayed claims depend on this digest.

Impact:

Standard wallet signatures for the documented claim type fail with SA__InvalidSignature.
The intended gas-sponsored claim flow can become unusable unless off-chain infrastructure signs the contract's non-standard raw digest.

Proof of Concept

The test builds the digest that a standard EIP-712 wallet would sign for SnowmanClaim(address receiver,uint256 amount). The contract rejects that signature because it verifies against the misspelled internal type string instead of the canonical EIP-712 type.

function testStandardEip712SignatureIsRejectedBecauseTypeHashIsMisspelled() public {

(SnowmanAirdrop airdrop, Snow snow,) = _deployAirdrop();

(address alice, uint256 aliceKey) = makeAddrAndKey("alice");

vm.prank(alice);

snow.approve(address(airdrop), 1);

(bytes1 fields, string memory name, string memory version, uint256 chainId, address verifyingContract, bytes32 salt,)

= airdrop.eip712Domain();

bytes32 domainSeparator =

MessageHashUtils.toDomainSeparator(fields, name, version, chainId, verifyingContract, salt);

bytes32 standardTypeHash = keccak256("SnowmanClaim(address receiver,uint256 amount)");

bytes32 standardStructHash = keccak256(abi.encode(standardTypeHash, alice, snow.balanceOf(alice)));

bytes32 standardDigest = MessageHashUtils.toTypedDataHash(domainSeparator, standardStructHash);

(uint8 v, bytes32 r, bytes32 s) = vm.sign(aliceKey, standardDigest);

vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector);

airdrop.claimSnowman(alice, AL_PROOF, v, r, s);

}

Recommended Mitigation

Use the canonical EIP-712 type string and keep the off-chain typed-data schema identical.

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");

+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");

Regenerate any frontend, script, and test fixtures that sign the claim message so they use the corrected type.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!