Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Misuse of NatSpec `@param` Tags for State Variables in `RaiseBoxFaucet::claimFaucetTokens`

0xzhd

Root + Impact

Description

In the daily claim reset section of claimFaucetTokens, the NatSpec block uses @param to describe lastFaucetDripDay as tracking the last claim day and @notice to mention resetting dailyClaimCount every 24 hours.

However, @param is reserved for function parameters, not for state variables.
This misuse violates Solidity NatSpec standards, where state variables should be documented using @dev, inline comments, or standalone @notice blocks.

Documentation tools such as forge doc or Solidity’s built-in doc generator may ignore or misrender these invalid tags, producing incomplete or erroneous API documentation.

The underlying cause is a misunderstanding of how NatSpec tags are parsed — treating a logic explanation block as parameter documentation.

// @> Root cause in the codebase
/**
* @> Misuse of @param for state variables
* @param lastFaucetDripDay tracks the last day a claim was made
* @notice resets the @param dailyClaimCount every 24 hours
*/
if (block.timestamp > lastFaucetDripDay + 1 days) {
lastFaucetDripDay = block.timestamp;
dailyClaimCount = 0;
}

Risk

Likelihood:

  • Low: NatSpec errors do not affect runtime behavior and are typically caught during review.

  • Medium (Documentation): Automated documentation tools may skip or misinterpret invalid tags.

Impact:

  • Low: No security or functional risk, but reduces code clarity and developer experience.

  • Maintenance Confusion: May cause developers to assume the function accepts parameters that don’t exist, complicating audits or integration.

Proof of Concept

The misuse is evident in the NatSpec block, where @param tags reference non-existent parameters. Running forge doc on the contract generates incomplete or erroneous output for this section, as shown below (simulated via code execution tool):
To verify, execute:

forge doc --output ./docs

Inspect the generated HTML/Markdown for claimFaucetTokens – the @param tags will appear misplaced or ignored, confirming documentation inconsistency.

Explanation

  • Setup: The NatSpec block is parsed by documentation tools, but @param expects function inputs, not state references.

  • Issue Demonstration: Tools like forge doc render the block as invalid parameters, omitting clear explanation of the reset logic.

  • Result: Documentation shows "lastFaucetDripDay" as a phantom parameter, misleading users about the function signature and behavior.

This confirms a deviation from NatSpec conventions, affecting automated API documentation and readability.

Recommended Mitigation

  • Replace all @param tags used for state variables with @dev or inline comments.
    Use @notice to describe overall behavior and logic flow.

  • This aligns with Solidity NatSpec guidelines and ensures compatibility with documentation tools.

- /**
- *
- * @param lastFaucetDripDay tracks the last day a claim was made
- * @notice resets the @param dailyClaimCount every 24 hours
- */
+ /**
+ * @dev lastFaucetDripDay tracks the last day a claim was made.
+ * @dev resets dailyClaimCount every 24 hours.
+ */
if (block.timestamp > lastFaucetDripDay + 1 days) {
lastFaucetDripDay = block.timestamp;
dailyClaimCount = 0;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.