Incorrect daily ETH drip counter reset allows bypass of daily distribution caps
Description:
The claimFaucetTokens() function contains a logic error in how it manages the dailyDrips counter, which tracks the total amount of Sepolia ETH distributed per day. The vulnerability exists in the else block at the end of the ETH distribution logic:
This else block executes whenever:
A user has already claimed ETH before (
hasClaimedEth[faucetClaimer] == true), ORETH drips are paused (
sepEthDripsPaused == true)
The problem is that dailyDrips gets reset to zero every time a repeat claimer calls the function, even though no actual day change has occurred. This breaks the tracking mechanism that enforces the dailySepEthCap limit.
Impact:
More Sepolia ETH can be distributed per day than intended, potentially draining the contract's ETH balance faster than expected
Recommended Mitigation:
Remove the else block entirely. The dailyDrips counter should only be reset when a new day begins, which is already handled correctly inside the first-time claimer logic
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.