Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Daily ETH Drip Reset Logic Allows Bypass of Daily Cap

_okchev

Root + Impact

Description

Normal behavior:
The faucet contract tracksdailyDrips to enforce a daily ETH distribution cap dailySepEthCap) This value should reset only once per new day when currentDay > lastDripDay to ensure ETH drip limits are properly enforced within each 24-hour period.

Issue:
The current implementation incorrectly resets dailyDrips to zero in the else branch, which executes whenever a user has already claimed ETH or when ETH drips are paused.
This logic unintentionally clears the daily counter even when a new day has not started, allowing subsequent calls to exceed the intended dailySepEthCap.

if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {

// normal drip logic...

} else {

@> dailyDrips = 0; // Incorrect unconditional reset of daily ETH drip counter

}

As a result, the faucet may reset the ETH drip limit multiple times within the same day, effectively bypassing the daily ETH cap mechanism.

Risk

Likelihood:

Occurs each time a user calls claimFaucetTokens() after already claiming ETH once.
The else branch is triggered frequently under normal operation (for all returning users and when ETH drips are paused).

Impact:

dailyDrips counter can be reset multiple times per day, allowing the contract to distribute more ETH than intended.
Breaks the faucet’s rate-limiting and resource control guarantees, leading to ETH depletion from the contract.

Proof of Concept

// Scenario:

// dailySepEthCap = 0.05 ETH

// sepEthAmountToDrip = 0.01 ETH

// dailyDrips = 0.04 ETH after 4 successful claims

// User who already claimed before (hasClaimedEth == true)

// calls claimFaucetTokens() again

// "else" branch triggers:

dailyDrips = 0; // resets daily count!

// Now new claimers can again claim 5x 0.01 ETH → total 0.1 ETH in one day

// Daily ETH cap enforcement completely bypassed

Recommended Mitigation

- } else {

- dailyDrips = 0;

- }

+ } else {

+ // Do not reset dailyDrips here — only reset when a new day starts

+ // Keep dailyDrips unchanged to preserve accurate daily cap enforcement

+ }

dailyDrips should only reset when a new 24-hour period begins if (currentDay > lastDripDay), not inside the else branch.

Updates

Lead Judging Commences

inallhonesty Lead Judge 15 days ago

Submission Judgement Published

Validated

Assigned finding tags:

dailyDrips Reset Bug

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.