Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

dailyDrips counter is incorrectly reset in claimFaucetTokens() Else branch

0x_bob_0x

Root + Impact

Description

In claimFaucetTokens(), the faucet resets dailyDrips in the else branch when a user is not eligible for Sepolia ETH drip.

Problem:

A single user who already claimed ETH (or when drips are paused) will reset the entire day’s ETH drip counter.
This can unintentionally allow more ETH to be claimed later in the day, or conversely, prevent legitimate daily limits from working correctly.

Impact: The daily Sepolia ETH distribution is inconsistent and may violate the intended daily cap.

if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {

// normal drip logic

} else {

dailyDrips = 0; // @> Unintended reset for users not eligible for ETH

}

Risk: Medium

Likelihood: High

Factor	Observation	Likelihood Influence
Frequency	Occurs on any faucet claim by an ineligible user	High
Severity	Breaks intended daily ETH cap	Medium
Access	Publicly callable	High
Complexity	Subtle logic error, may go unnoticed	Medium

Impact: Medium

Impact Area	Description
Daily Limit Enforcement	Resets the daily drip counter incorrectly, potentially allowing excessive or insufficient ETH distribution.
Fairness	Some users may get more or fewer ETH drips than intended.
Maintainability	Confusing logic makes future modifications error-prone.
Auditability	Makes it harder to verify that daily ETH caps are respected.

Proof of Concept

user1 claims for the first time → receives ETH drip → dailyDrips increases correctly.
After cooldown, user1 claims again, but is no longer eligible for ETH.
The else { dailyDrips = 0; } block executes → resets dailyDrips, breaking the intended daily ETH cap.
This demonstrates that the current implementation allows incorrect ETH drip accounting, violating the intended rules.

function testDailyDripsResetByIneligibleUser() public {

// user1 claims first-time ETH drip

vm.prank(user1);

raiseBoxFaucet.claimFaucetTokens();

assertEq(raiseBoxFaucet.getHasClaimedEth(user1), true);

// dailyDrips should be 0.005 ether now (recorded inside contract)

assertEq(raiseBoxFaucet.dailyDrips(), 0.005 ether, "dailyDrips correctly set");

// user1 calls again after cooldown (eligible for token, not ETH)

vm.warp(block.timestamp + 4 days); // move past CLAIM_COOLDOWN

vm.prank(user1);

raiseBoxFaucet.claimFaucetTokens();

// Problem: dailyDrips gets reset by the else branch for ineligible ETH claimers

// Now dailyDrips = 0 instead of 0.005, effectively allowing more ETH than intended

uint256 dailyDripsAfter = raiseBoxFaucet.dailyDrips();

assertEq(dailyDripsAfter, 0, "dailyDrips incorrectly reset");

}

Recommended Mitigation

Remove the**** else { dailyDrips = 0; } block entirely.

function claimFaucetTokens() public {

...

- else {

- dailyDrips = 0;

- }

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 14 days ago

Submission Judgement Published

Validated

Assigned finding tags:

dailyDrips Reset Bug

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.