First-Time ETH Claim Abuse via Wallet Cycling
Root + Impact
Description
-
First-time users receive 0.005 Sepolia ETH.(The faucet sends 0.005 Sepolia ETH to first-time users. This is determined by checking
hasClaimedEth[msg.sender].) -
Users can repeatedly claim ETH by cycling through new wallets.(Since
msg.sendercan be changed by using new wallets, users can repeatedly claim ETH by cycling through fresh addresses.)
Risk
Likelihood:
-
Any time a user interacts with the faucet using a fresh wallet.
-
There’s no identity verification beyond wallet address
-
This occurs whenever a user interacts with the faucet using a new wallet address. Since wallet creation is free and fast, the barrier to abuse is low.
Impact:
-
ETH reserves can be drained, disrupting faucet functionality
-
Faucet loses reliability as a testing tool
-
Reduced availability for real testers
-
Loss of trust in faucet reliability
Proof of Concept
Explanation:
This loop simulates a user creating multiple wallets to repeatedly claim ETH. Each wallet bypasses the hasClaimedEth check, exploiting the faucet.
Recommended Mitigation
Explanation:
Introduce a verification layer (e.g., Merkle proof, off-chain KYC, or allowlisting)
Alternatively, limit ETH claims to trusted addresses or use a one-time claim token
Emit events for ETH claims to improve traceability
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.