Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Unintended ETH Drips After `toggleEthDripPause` Invocation

player

Description

The toggleEthDripPause function is intended to pause the faucet’s ETH dripping mechanism, preventing users from claiming Sepolia ETH while the protocol is in a paused state. However, the current implementation does not enforce this pause condition within the claimFaucetTokens function.

As a result, even after the owner calls toggleEthDripPause, users can continue to claim Sepolia ETH from the faucet, effectively bypassing the intended pause functionality.

Risk

Likelihood:

This will occur whenever the owner calls toggleEthDripPause function and a user tires to claim the faucet tokens with claimFaucetTokens function.

Impact:

This issue allows users to continue receiving Sepolia ETH despite the faucet being paused, undermining the intended access control mechanism. It can lead to unintended ETH distributions and inaccurate accounting of total dripped amounts, reducing trust in the protocol’s operational integrity.

Proof of Concept

Paste this code snippet inside RaiseBoxFaucet.t.sol and run forge test --mt test_unintendedFaucetDrip -vvvv

function test_unintendedFaucetDrip() public {

uint256 userClaims;

assertFalse(raiseBoxFaucet.sepEthDripsPaused());

vm.startPrank(user1);

raiseBoxFaucet.claimFaucetTokens();

console.log("DailyDrips:",raiseBoxFaucet.dailyDrips());

vm.startPrank(owner);

raiseBoxFaucet.toggleEthDripPause(true);

assertTrue(raiseBoxFaucet.sepEthDripsPaused());

userClaims = raiseBoxFaucet.getBalance(user2);

vm.startPrank(user2);

raiseBoxFaucet.claimFaucetTokens();

userClaims = raiseBoxFaucet.getBalance(user2);

console.log(userClaims);

}

Recommended Mitigation

Implement a modifier to enforce the pause condition within the claimFaucetTokens function. For example:

+ modifier whenDripNotPaused() {

+ require(!sepEthDripsPaused, "ETH drip is currently paused");

+ _;

}

+function claimFaucetTokens() external whenDripNotPaused {

// existing faucet logic

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!