Snowman Merkle Airdrop

AI First Flight #10
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Malformed MESSAGE_TYPEHASH makes SnowmanAirdrop incompatible with standard EIP-712 signatures

Root + Impact

Description

SnowmanAirdrop is intended to allow a recipient to sign an EIP-712 SnowmanClaim message so that either the recipient or another account can submit the claim.

The declared struct is:

struct SnowmanClaim {
address receiver;
uint256 amount;
}

The corresponding type declaration should use address receiver. However, MESSAGE_TYPEHASH contains the misspelled type addres.

// src/SnowmanAirdrop.sol
@> bytes32 private constant MESSAGE_TYPEHASH =
keccak256("SnowmanClaim(addres receiver, uint256 amount)");

A standard frontend generates the type hash from the correctly declared struct:

keccak256("SnowmanClaim(address receiver, uint256 amount)");

Because the type strings differ, the frontend and contract calculate different struct hashes and different final EIP-712 digests.

A signature produced by the frontend therefore recovers to a different address when checked against the contract-generated digest:

if (!_isValidSignature(receiver, getMessageHash(receiver), v, r, s)) {
revert SA__InvalidSignature();
}

Consequently, signatures generated through the intended standard EIP-712 integration are rejected by claimSnowman().

Risk

Likelihood

  • The mismatch is deterministic.

  • Every frontend using the correct address receiver declaration calculates a different digest from the contract.

  • No special attacker action or unusual state is required.

  • The issue occurs for every recipient using standard typed-data signing.

The likelihood is therefore High.

Impact

  • Standard EIP-712 wallet signatures cannot be used to claim Snowman NFTs.

  • The advertised delegated-claim functionality is globally incompatible with normal frontend and wallet integrations.

  • Eligible users receive SA__InvalidSignature() despite signing the correct claim data.

  • A custom signer would need to intentionally reproduce the contract's malformed type declaration, defeating the intended standardized signing flow.

Because the issue breaks a core protocol interaction for all standard integrations, the impact is High.

Proof of Concept

Create test/InvalidMessageTypehash.t.sol:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
import {Test} from "forge-std/Test.sol";
import {Snow} from "../src/Snow.sol";
import {Snowman} from "../src/Snowman.sol";
import {SnowmanAirdrop} from "../src/SnowmanAirdrop.sol";
import {MockWETH} from "../src/mock/MockWETH.sol";
import {Helper} from "../script/Helper.s.sol";
contract InvalidMessageTypehashTest is Test {
Snow internal snow;
Snowman internal nft;
SnowmanAirdrop internal airdrop;
MockWETH internal weth;
address internal alice;
uint256 internal aliceKey;
address internal relayer;
function setUp() public {
Helper helper = new Helper();
(airdrop, snow, nft, weth) = helper.run();
(alice, aliceKey) = makeAddrAndKey("alice");
relayer = makeAddr("relayer");
}
function testStandardEIP712SignatureIsRejected() public {
vm.prank(alice);
snow.approve(address(airdrop), 1);
// Type hash generated from the correctly declared SnowmanClaim struct.
bytes32 frontendMessageTypehash =
keccak256(
"SnowmanClaim(address receiver, uint256 amount)"
);
bytes32 domainSeparator = keccak256(
abi.encode(
keccak256(
"EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"
),
keccak256(bytes("Snowman Airdrop")),
keccak256(bytes("1")),
block.chainid,
address(airdrop)
)
);
bytes32 structHash = keccak256(
abi.encode(
frontendMessageTypehash,
alice,
snow.balanceOf(alice)
)
);
bytes32 frontendDigest = keccak256(
abi.encodePacked(
"\x19\x01",
domainSeparator,
structHash
)
);
bytes32 contractDigest = airdrop.getMessageHash(alice);
// The typo in MESSAGE_TYPEHASH causes different digests.
assertNotEq(frontendDigest, contractDigest);
// Alice signs the correctly formatted EIP-712 digest.
(uint8 v, bytes32 r, bytes32 s) =
vm.sign(aliceKey, frontendDigest);
bytes32[] memory emptyProof = new bytes32[](0);
// Signature validation happens before Merkle-proof validation.
vm.prank(relayer);
vm.expectRevert(
SnowmanAirdrop.SA__InvalidSignature.selector
);
airdrop.claimSnowman(
alice,
emptyProof,
v,
r,
s
);
assertEq(nft.balanceOf(alice), 0);
}
}

Run:

forge test --match-test testStandardEIP712SignatureIsRejected -vv

The test demonstrates that the correctly formatted frontend digest differs from the digest calculated by SnowmanAirdrop. The valid frontend signature is consequently rejected with SA__InvalidSignature().

Recommended Mitigation

Correct the misspelled Solidity type in MESSAGE_TYPEHASH and ensure that the frontend uses the exact same EIP-712 type declaration.

- bytes32 private constant MESSAGE_TYPEHASH =
- keccak256("SnowmanClaim(addres receiver, uint256 amount)");
+ bytes32 private constant MESSAGE_TYPEHASH =
+ keccak256("SnowmanClaim(address receiver, uint256 amount)");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-02] Unconsistent `MESSAGE_TYPEHASH` with standart EIP-712 declaration on contract `SnowmanAirdrop`

# Root + Impact ## Description * Little typo on `MESSAGE_TYPEHASH` Declaration on `SnowmanAirdrop` contract ```Solidity // src/SnowmanAirdrop.sol 49: bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); ``` **Impact**: * `function claimSnowman` never be `TRUE` condition ## Proof of Concept Applying this function at the end of /test/TestSnowmanAirdrop.t.sol to know what the correct and wrong digest output HASH. Ran with command: `forge test --match-test testFrontendSignatureVerification -vvvv` ```Solidity function testFrontendSignatureVerification() public { // Setup Alice for the test vm.startPrank(alice); snow.approve(address(airdrop), 1); vm.stopPrank(); // Simulate frontend using the correct format bytes32 FRONTEND_MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); // Domain separator used by frontend (per EIP-712) bytes32 DOMAIN_SEPARATOR = keccak256( abi.encode( keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"), keccak256("Snowman Airdrop"), keccak256("1"), block.chainid, address(airdrop) ) ); // Get Alice's token amount uint256 amount = snow.balanceOf(alice); // Frontend creates hash using the correct format bytes32 structHash = keccak256( abi.encode( FRONTEND_MESSAGE_TYPEHASH, alice, amount ) ); // Frontend creates the final digest (per EIP-712) bytes32 frontendDigest = keccak256( abi.encodePacked( "\x19\x01", DOMAIN_SEPARATOR, structHash ) ); // Alice signs the digest created by the frontend (uint8 v, bytes32 r, bytes32 s) = vm.sign(alKey, frontendDigest); // Digest created by the contract (with typo) bytes32 contractDigest = airdrop.getMessageHash(alice); // Display both digests for comparison console2.log("Frontend Digest (correct format):"); console2.logBytes32(frontendDigest); console2.log("Contract Digest (with typo):"); console2.logBytes32(contractDigest); // Compare the digests - they should differ due to the typo assertFalse( frontendDigest == contractDigest, "Digests should differ due to typo in MESSAGE_TYPEHASH" ); // Attempt to claim with the signature - should fail vm.prank(satoshi); vm.expectRevert(SnowmanAirdrop.SA__InvalidSignature.selector); airdrop.claimSnowman(alice, AL_PROOF, v, r, s); assertEq(nft.balanceOf(alice), 0); } ``` ## Recommended Mitigation on contract `SnowmanAirdrop` Line 49 applying this: ```diff - bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(addres receiver, uint256 amount)"); + bytes32 private constant MESSAGE_TYPEHASH = keccak256("SnowmanClaim(address receiver, uint256 amount)"); ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!