Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: medium
Invalid

Sepolia ETH Daily Cap Lacks Adjustment Functionality

empyrean

Sepolia ETH Daily Cap Lacks Adjustment Functionality

Description

The dailySepEthCap sets maximum daily Sepolia ETH distribution in constructor and remains fixed, unlike adjustable dailyClaimLimit. This prevents owner from updating ETH cap post-deployment for changing needs.

constructor(
string memory name_,
string memory symbol_,
uint256 faucetDrip_,
uint256 sepEthDrip_,
uint256 dailySepEthCap_
) ERC20(name_, symbol_) Ownable(msg.sender) {
faucetDrip = faucetDrip_; // 1000e18
sepEthAmountToDrip = sepEthDrip_; // 0.005 ether
dailySepEthCap = dailySepEthCap_; // 0.5 ether
//@> No adjustment for sepolia-eth daily limit: dailySepEthCap, remains what it's set forever while faucet's is adjustable
_mint(address(this), INITIAL_SUPPLY); // mint initial supply to contract on deployment
}

Risk

Likelihood:

  • Usage spikes exceed fixed 0.5 ether cap.

  • Economic changes require cap reduction.

Impact:

  • Over-distribution drains ETH faster than intended.

  • Inflexibility limits operational control vs. token claims.

Proof of Concept

function testDailySepEthCapCannotBeAdjusted() public {
uint256 initialCap = raiseBoxFaucet.dailySepEthCap();
uint256 adjustBy = 0.1 ether;
// dailyClaimLimit adjustable
vm.prank(owner);
raiseBoxFaucet.adjustDailyClaimLimit(50, true);
assertEq(raiseBoxFaucet.dailyClaimLimit(), 150);
// dailySepEthCap fixed; no function, so unchanged
uint256 finalCap = raiseBoxFaucet.dailySepEthCap();
assertEq(finalCap, initialCap); // Remains 0.5 ether
// Attempt non-existent adjust would revert if called, but proves absence
// vm.prank(owner);
// vm.expectRevert(); // Assuming no such function exists
// Hypothetical: raiseBoxFaucet.adjustDailySepEthCap(adjustBy, true); // Would fail
}

POC Explanation: Test asserts dailyClaimLimit adjusts successfully but dailySepEthCap stays fixed at 0.5 ether, confirming lack of adjustment mechanism and inflexibility.

Recommended Mitigation

+event DailySepEthCapAdjusted(uint256 newCap);
+/// @notice Adjust the daily Sepolia ETH cap
+/// @param by Amount to adjust by
+/// @param increase Set true to increase, false to decrease
+function adjustDailySepEthCap(uint256 by, bool increase) public onlyOwner {
+ if (increase) {
+ dailySepEthCap += by;
+ } else {
+ if (by > dailySepEthCap) revert RaiseBoxFaucet_CurrentClaimLimitIsLessThanBy();
+ dailySepEthCap -= by;
+ }
+ emit DailySepEthCapAdjusted(dailySepEthCap);
+}

Mitigation Key Points: Add adjustDailySepEthCap mirroring token limit adjuster with revert on over-decrease. Emit event for tracking. Enables flexible ETH management without new risks.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

empyrean Submitter
12 days ago
inallhonesty Lead Judge
12 days ago
empyrean Submitter
12 days ago
inallhonesty Lead Judge 9 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.