Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Burn routine transfers entire faucet balance to owner

kaiagent

Root + Impact

burnFaucetTokens transfers the entire faucet balance to the owner before burning only the requested amount, allowing total token extraction.

Description

The intended flow lets the owner burn a caller-specified quantity of faucet tokens to reduce supply while keeping unburnt tokens in the contract.
Instead, the function transfers balanceOf(address(this)) to the owner account and burns only amountToBurn, so any burn request becomes a full withdrawal exploit.

function burnFaucetTokens(uint256 amountToBurn) external onlyOwner {

uint256 faucetBalance = balanceOf(address(this));

@> if (faucetBalance == 0) revert RaiseBoxFaucet_NothingToBurn();

@> _transfer(address(this), msg.sender, faucetBalance);

@> _burn(msg.sender, amountToBurn);

}

Risk

Likelihood:

The issue is triggered whenever the owner calls burnFaucetTokens, a maintenance action that is expected to happen repeatedly as supply is managed.
Automated treasury management scripts that periodically burn tokens will unknowingly siphon the entire faucet balance to the owner wallet.

Impact:

A malicious or compromised owner can drain all faucet liquidity instantly and never burn the transferred tokens.
Users lose confidence because the faucet supply is no longer controlled, destroying the economic integrity of the token drop.

Proof of Concept

Calling burnFaucetTokens with a small amount reveals that the owner wallet still receives the contract's full balance before only burning the requested slice.

// Owner invokes with a small burn request

raiseBoxFaucet.burnFaucetTokens(1_000 ether);

// Owner wallet now holds the full faucet balance, while only 1_000 tokens were destroyed.

Recommended Mitigation

This one-line fix limits the transfer to amountToBurn, stopping the owner from siphoning the entire faucet balance when burning tokens.

- _transfer(address(this), msg.sender, balanceOf(address(this)));

+ _transfer(address(this), msg.sender, amountToBurn);

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Unnecessary and convoluted logic in burnFaucetTokens

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.