Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Typo in MESSAGE_TYPEHASH ("addres") breaks EIP-712 compliance

Root + Impact

Description

EIP-712 requires the type string used to build a signing hash to exactly match the struct's canonical encoding. The SnowmanAirdrop contract derives its signing digest from MESSAGE_TYPEHASH.

The problem is that the type string is misspelled: it declares addres receiver (one "s") instead of address receiver. The contract is internally consistent — it signs and verifies with the same wrong string, so its own tests pass — but it is NOT EIP-712 compliant.

Solidity
bytes32 private constant MESSAGE_TYPEHASH =
keccak256("SnowmanClaim(addres receiver, uint256 amount)");
// @> "addres" should be "address"


// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • Any wallet, SDK, or frontend that builds the EIP-712 digest from the correct struct definition (the standard behavior) will compute a different typehash than the contract.

  • This happens whenever a claim is signed using a standards-compliant signer rather than replicating the contract's misspelled string.

Impact:

  • Signatures produced with the correct EIP-712 type string fail _isValidSignature, blocking legitimate claims made through compliant tooling.

  • The contract is not EIP-712 interoperable, harming integrations and external signers.

Proof of Concept

No exploit is required; this is a standards-compliance defect. The contract computes:

keccak256("SnowmanClaim(addres receiver, uint256 amount)")

while a compliant signer computes the canonical:

keccak256("SnowmanClaim(address receiver,uint256 amount)")

These produce different typehashes, hence different digests. A signature generated against the canonical type string recovers a different signer and fails the actualSigner == receiver check in _isValidSignature, so a legitimately-signed claim from standard tooling reverts with SA__InvalidSignature.

This is a standards-compliance defect, demonstrable by comparing the two type hashes:
// What the contract uses (misspelled):
keccak256("SnowmanClaim(addres receiver, uint256 amount)")
// What an EIP-712-compliant signer derives from the struct:
keccak256("SnowmanClaim(address receiver,uint256 amount)")
These two strings hash to different bytes32 values, producing different EIP-712 digests for the same logical claim. A user who signs with a standards-compliant wallet generates a signature over the canonical digest. When passed to claimSnowman, ECDSA.tryRecover returns an address that does not equal `receiver`, so _isValidSignature returns false and the claim reverts with SA__InvalidSignature — even though the user signed correctly.

Recommended Mitigation

The fix corrects the type string to match the EIP-712 canonical encoding ("address" instead of "addres", and no space after the comma). Once corrected, the typehash matches what compliant wallets and SDKs compute, restoring interoperability so that legitimately-signed claims verify correctly.

- bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver,uint256 amount)");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!