Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

[L-01] Misleading Function Name and Incomplete Implementation in `refillSepEth`

jpixelhand

Description

The refillSepEth function has a misleading name and incomplete implementation that could lead to confusion and potential misuse. While the function is intended to refill the contract with Sepolia ETH, it only performs validation and emits an event without any actual fund handling logic.\

function refillSepEth(uint256 amountToRefill) external payable onlyOwner {

require(amountToRefill > 0, "invalid eth amount");

require(msg.value == amountToRefill, "Refill amount must be same as value sent.");

emit SepEthRefilled(msg.sender, amountToRefill);

//@> No transfert

}

Risk

Low Likelihood - The function doesn't cause direct harm, but may lead to operational mistakes

It is one of the main functions of the contract which aims to provide the contart in eth, however the contart accepts the donations
The function doesn't cause direct harm, but may lead to operational mistake

Low Impact - No direct fund loss, but creates confusion and potential operational issues :

Misleading function name suggests active fund handling that doesn't occur
Could lead to incorrect assumptions about contract state management

Proof of Concept

function testRefillEthActuallyWorksButImplementationIsMisleading() public {

// Get initial balances

uint256 initialContractBalance = address(raiseBoxFaucet).balance;

uint256 initialOwnerBalance = owner.balance;

console.log("Contract ETH balance before refill:", initialContractBalance);

console.log("Owner ETH balance before refill:", initialOwnerBalance);

// Owner "refills" with 50 ETH

vm.prank(owner);

raiseBoxFaucet.refillSepEth{value: 50 ether}(50 ether);

// Check balances after

uint256 contractBalanceAfterRefill = address(raiseBoxFaucet).balance;

uint256 ownerBalanceAfterRefill = owner.balance;

console.log("Contract ETH balance after refill:", contractBalanceAfterRefill);

console.log("Owner ETH balance after refill:", ownerBalanceAfterRefill);

// The function DOES work because of payable, but implementation is misleading

assertEq(contractBalanceAfterRefill, initialContractBalance + 50 ether);

assertEq(ownerBalanceAfterRefill, initialOwnerBalance - 50 ether);

// However, the function name and implementation are confusing

console.log("Function works but implementation is misleading - no explicit fund handling logic");

}

Result:

Contract ETH balance before refill: 1000000000000000000
Owner ETH balance before refill: 100000000000000000000
Contract ETH balance after refill: 51000000000000000000
Owner ETH balance after refill: 50000000000000000000
Function works but implementation is misleading - no explicit fund handling logic

Recommended Mitigation

Remove Redundant Function (Recommended) or make function more explicit

Updates

Lead Judging Commences

inallhonesty Lead Judge 14 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.