Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Token Transfer Logic Before Burn Allows Full Faucet Drain

_okchev

Root + Impact

Description

Normal behavior:
The burnFaucetTokens() function is intended to allow the contract owner to burn a specified amount of faucet tokens (amountToBurn) from the contract’s balance. After execution, the faucet contract should have exactly that number of tokens removed from its balance, reducing total supply by the burned amount.

Issue:
The current implementation mistakenly transfers the entire contract token balance to the owner before burning only the amountToBurn. This results in the owner holding all remaining faucet tokens, effectively draining the faucet’s token supply.

function burnFaucetTokens(uint256 amountToBurn) public onlyOwner {

require(amountToBurn <= balanceOf(address(this)), "Faucet Token Balance: Insufficient");

// @> Transfers the ENTIRE contract balance to the owner

_transfer(address(this), msg.sender, balanceOf(address(this)));

// @> Burns only 'amountToBurn' from the owner’s balance

_burn(msg.sender, amountToBurn);

}

Risk

Likelihood:

The issue occurs every time the burnFaucetTokens() function is called.
The function is callable by the owner, who can unintentionally or deliberately drain all faucet tokens.

Impact:

The faucet contract balance becomes zero, preventing any future claims by users.
The owner retains all faucet tokens except the small burned portion, breaking the token distribution mechanism.

Proof of Concept

// Assume faucet contract holds 1,000,000 tokens

// Owner calls:

burnFaucetTokens(1000);

// Results:

// 1. All 1,000,000 tokens transferred to owner

// 2. Only 1,000 tokens burned

// 3. Owner keeps 999,000 tokens

// 4. Faucet balance = 0

Recommended Mitigation

- _transfer(address(this), msg.sender, balanceOf(address(this)));

- _burn(msg.sender, amountToBurn);

+ _transfer(address(this), msg.sender, amountToBurn);

+ _burn(msg.sender, amountToBurn);

Only transfer the amount that is intended to be burned. This ensures the faucet retains the rest of its token balance and prevents unintended or malicious draining of funds.

Updates

Lead Judging Commences

inallhonesty Lead Judge 15 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Unnecessary and convoluted logic in burnFaucetTokens

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.