Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

Useless amountToRefill Parameter in function refillSepEth()

0x_bob_0x

Root + Impact

Description

The refillSepEth(uint256 amountToRefill) function is declared as payable, which already encodes the amount of ETH sent via msg.value.
However, the function redundantly requires an additional parameter amountToRefill to specify the same number and checks that both match.

This argument adds no functional or security benefit and can be entirely replaced by msg.value.
It slightly increases gas costs and creates confusion about the function’s intended usage.

function refillSepEth(uint256 amountToRefill) external payable onlyOwner {

// @> Redundant argument — the ETH value is already provided by msg.value.

require(amountToRefill > 0, "invalid eth amount");

// @> This check is unnecessary; msg.value already represents the amount sent.

require(

msg.value == amountToRefill,

"Refill amount must be same as value sent."

);

emit SepEthRefilled(msg.sender, amountToRefill);

}

Risk: Low

Likelihood: Medium

Factor	Observation	Likelihood Influence
Access Level	Only callable by the owner	Low
Exploit Potential	None — cannot be abused for gain	Low
Developer Confusion	Moderate — easy to misunderstand	Medium
Usage Frequency	Rare — admin-only function	Low

Impact: Low

Impact Area	Description
Functional	No impact — function still behaves correctly.
Gas	Slightly higher due to extra calldata and redundant checks.
Clarity	Misleading — implies the two values could differ when they cannot.
Maintainability	Adds unnecessary complexity and confusion.
Auditability	Introduces redundant logic that distracts from core behavior.

Proof of Concept

Step	Input	Expected Result
1️⃣	`msg.value = 1 ether`, `amountToRefill = 2 ether`	Reverts
2️⃣	`msg.value = 1 ether`, `amountToRefill = 1 ether`	Succeeds

function test_refillSepEth_RedundantParameter() public {

address owner = raiseBoxFaucet.owner();

vm.startPrank(owner);

// Mismatched values should revert

vm.expectRevert("Refill amount must be same as value sent.");

raiseBoxFaucet.refillSepEth{value: 1 ether}(2 ether);

// Works only when redundant argument equals msg.value

raiseBoxFaucet.refillSepEth{value: 1 ether}(1 ether);

vm.stopPrank();

}

Recommended Mitigation

Simplify the function to rely solely on msg.value.
This reduces calldata size, removes redundancy, and improves readability.

- function refillSepEth(uint256 amountToRefill) external payable onlyOwner {

- require(amountToRefill > 0, "invalid eth amount");

- require(

- msg.value == amountToRefill,

- "Refill amount must be same as value sent."

- );

- emit SepEthRefilled(msg.sender, amountToRefill);

- }

+ function refillSepEth() external payable onlyOwner {

+ require(msg.value > 0, "invalid eth amount");

+ emit SepEthRefilled(msg.sender, msg.value);

Updates

Lead Judging Commences

inallhonesty Lead Judge 13 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.