Root + Impact

Description

The DeployRaiseboxContract is a Solidity script that uses Foundry's Script library to deploy theRaiseBoxFaucet contract with hardcoded parameters: token name "raiseboxtoken", symbol "RB", an initial allocation of 1000 * 10^18 tokens, a 0.005 ETH fee or drip, and a 1 ETH cap. The script employs Foundry’s vm.startBroadcast() and vm.stopBroadcast() to simulate transactions from a deployer’s private key in an off-chain environment. However, the run() function is marked public without explicit access control, which poses a theoretical risk if the script were deployed on-chain.

Risk

Likelihood:

• Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

• Reason 2

Impact:

If this script were mistakenly deployed as a contract any user could call run(), deploying new instances of RaiseBoxFaucet, potentially exhausting the deployer’s funds or creating redundant contracts.

Each deployment consumes gas and, if funded, ETH or tokens, leading to financial loss or network spam.

Multiple unauthorized deployments could lead to confusion about the canonical RaiseBoxFaucet instance, complicating user interaction or contract management.

Proof of Concept

1. Deploy DeployRaiseboxContract using forge create.

2. Call run() repeatedly, deploying multiple RaiseBoxFaucet instances.

Recommended Mitigation

Keep Script Off-Chain: Ensure the script is only executed in Foundry’s off-chain environment (e.g., via forge script). Avoid deploying it as a contract using forge create unless explicitly intended.

Add Access Control (if On-Chain): If the script must be deployed on-chain, restrict run() with a modifier like OpenZeppelin’s onlyOwner.