Raisebox Faucet

Summary

The claimFaucetTokens() function uses flawed daily reset logic, which causes the daily counter to not reset properly when claims occur late in the day.

Description

Normal Behavior

Daily claim counter should reset at consistent day boundaries (e.g., every 24 hours at midnight)

Issue

The contract uses relative time calculation instead of absolute day boundaries:

Line: 220-223

This creates inconsistent daily windows that don't align with actual days and prevents legitimate users from claiming

Risk

Impact

Medium

• Daily limits don't align with actual day boundaries

• Users cannot predict when the faucet becomes available again

• Problem compounds when multiple late-day claims occur

Likelihood

High

• Happens whenever claims occur late in the day

• No malicious action required, just normal usage

Proof of Concept

Textual PoC

1. Daily limit is reached with the last claim at 23:00 on Day 1

2. lastFaucetDripDay is set to Day 1 at 23:00

3. Users attempt to claim at 01:00 on Day 2

4. Reset condition 01:00_Day2 > 23:00_Day1 + 24h evaluates to false

5. Claims remain blocked until 23:00 on Day 2, creating a ~23-hour delay

Coded PoC

RelativeTimeReset.t.sol: https://github.com/Luu-Duc-Toan/2025-10-raisebox-faucet/blob/master/test/RelativeTimeReset.t.sol

Result:

Recommended Mitigation

Use day boundary calculation instead of relative timing: