Raisebox Faucet

Summary

The claimFaucetTokens() function is vulnerable to Sybil DDoS attacks where attackers can deploy multiple contracts to overwhelm daily limits and profitably drain the faucet's ETH reserves, denying service to legitimate claimers.

Description

Normal Behavior

• Daily claim limit restricts number of claims per day via dailyClaimCount

• Daily ETH cap limits total ETH distributed per day via dailySepEthCap

• First-time claimers receive 0.005 ETH

Issue

The contract is vulnerable to a Sybil DDoS attack where attackers deploy multiple contracts to overwhelm the faucet system:

Line: 179 - 181, 194

The vulnerability exists because:

• The faucet can only verify addresses, not human identities

• Deployment cost is less than claim reward

Risk

Likelihood

• Requires only basic contract deployment

• Attackers always earn significant profit

• The attack can be executed as soon as daily limits reset

Impact

• Concentration of ETH resources to single attacker instead of diverse user base

• Legitimate users cannot access faucet ETH when daily caps are exhausted

• Faucet loses ETH and token reserves faster than intended

• Attackers can use private transactions or submarine transactions, making it nearly impossible for the system to track and respond to attacks

Proof of Concept

Textual PoC

1. Attacker deploys multiple simple contracts to create fake user identities

2. Each contract calls claimFaucetTokens() as a first-time claimer and transfers all ETH and tokens to the attacker's address

3. The attack repeats daily via script → system becomes unavailable most of the time

Coded PoC

SybilDDoSAttack.t.sol: https://github.com/Luu-Duc-Toan/2025-10-raisebox-faucet/blob/master/test/SybilDDoSAttack.t.sol

Recommended Mitigation

Combine with off-chain DDoS mitigation services (e.g., Cloudflare, AWS Shield) to verify claimers as human before on-chain execution: