Daily Claim Limit Permanent Denial of Service Due to Reset Timing

Description

The claimFaucetTokens function is designed to enforce a daily limit of 100 claims by incrementing dailyClaimCount on each successful claim and resetting it every 24 hours via a timestamp comparison. This allows up to 100 collective claims per rolling 24-hour period, with the reset intended to automatically unlock the next period.

However, the reset logic is positioned after the daily limit check, causing any claim attempt post-maxout to revert before reaching the reset block. As a result, dailyClaimCount becomes permanently stuck at 100, creating an irrecoverable denial of service state where no further claims are possible until manual owner intervention. The rolling window condition (> lastFaucetDripDay + 1 days) further complicates boundaries, but the core issue is the ordering.

Risk

Likelihood:

• Activates after precisely 100 claims in a period (achievable via multi-user coordination or high traffic)

• Persists indefinitely, as every subsequent claim fails the early check, skipping the reset regardless of time elapsed

Impact:

• Faucet completely unusable for all users until the owner manually resets via adjustDailyClaimLimit

• Violates the intended 100 claim per day model, destroying user trust and potentially leading to protocol leaving without automated recovery

Proof of Concept

This Foundry test simulates filling the daily claim limit with 100 unique users (bypassing per-user cooldowns), then warps time to and past the 24-hour boundary. It expects reverts on subsequent claims (confirming the early check blocks them) and asserts dailyClaimCount remains stuck at 100, proving the permanent DoS. The reset never executes due to the ordering flaw.

Recommended Mitigation

Move the reset logic before the limit check to ensure it always executes, preventing permanent DoS. Switch to calendar days (block.timestamp / 1 days) for precise, drift-free resets first new day claim will reset to 0 and succeed.