Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

The `Claimed` event in the `RaiseBoxFaucet::claimFaucetTokens` function is emitted after the `faucetDrip` is transferred to the user, potentially causing confusion and misinterpretation of the event.

alexscherbatyuk

Root + Impact

Description

The Claimed event is emitted after the faucetDrip is transferred to the user, potentially causing confusion and misinterpretation of the event by users and dapps.

function claimFaucetTokens() public {

...

// Effects

lastClaimTime[faucetClaimer] = block.timestamp;

dailyClaimCount++;

// Interactions

_transfer(address(this), faucetClaimer, faucetDrip);

@> emit Claimed(msg.sender, faucetDrip);

...

}

Risk

Likelihood:

The Claimed event is always emitted after the standard ERC20 transfer event.

Impact:

Confusion and misinterpretation of the event by users and dapps.

Proof of Concept

Add the following code snippet to the RaiseBoxFaucet.t.sol test file.

This code snippet is designed to demonstrate the Claimed event is emitted after the faucetDrip is transferred to the user, after all standard ERC20 events have already been emitted.

event SepEthDripped(address indexed claimant, uint256 amount);

event Transfer(address indexed from, address indexed to, uint256 value);

event Claimed(address indexed user, uint256 amount);

function testClaimedEvents() public {

vm.expectEmit(true, false, false, true, address(raiseBoxFaucet));

emit SepEthDripped(user1, raiseBoxFaucet.sepEthAmountToDrip());

vm.expectEmit(true, true, false, true, address(raiseBoxFaucet));

emit Transfer(address(raiseBoxFaucet), user1, raiseBoxFaucet.faucetDrip());

vm.expectEmit(true, false, false, true, address(raiseBoxFaucet));

emit Claimed(user1, raiseBoxFaucet.faucetDrip());

vm.prank(user1);

raiseBoxFaucet.claimFaucetTokens();

console.log("user balance of ETH: ", user1.balance);

console.log("user balance of faucet tokens: ", raiseBoxFaucet.balanceOf(user1));

}

Recommended Mitigation

To follow the Check-Effects-Interactions (CEI) pattern and emit the event before the interaction, the Claimed event should be emitted before the faucetDrip is transferred to the user.

function claimFaucetTokens() public {

...

// Effects

lastClaimTime[faucetClaimer] = block.timestamp;

dailyClaimCount++;

+ emit Claimed(msg.sender, faucetDrip);

// Interactions

_transfer(address(this), faucetClaimer, faucetDrip);

- emit Claimed(msg.sender, faucetDrip);

...

Updates

Lead Judging Commences

inallhonesty Lead Judge 13 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.