Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Advisory: Use Pull Pattern for ETH Drip

0x_bob_0x

Root + Impact

Description

The RaiseBoxFaucet contract currently performs push payments of ETH to first-time claimers.

This pattern requires careful handling of proper failure handling to avoid permanently blocking first-time users.

// @> push payments of ETH to first-time claimers
(bool success, ) = faucetClaimer.call{ value: sepEthAmountToDrip }("");
if (success) {
emit SepEthDripped(faucetClaimer, sepEthAmountToDrip);
} else {
revert RaiseBoxFaucet_EthTransferFailed();
}

Risk: Informatinal

Since this is an architecture recommendation, no immediate user funds are at risk if current protection hasClaimedEth is properly applied.

Proof of Concept

If token claim logic is isolated from ETH withdrawal logic, it will improve readability, testability, and maintainability - Separation of Concerns

Recommended Mitigation

Instead of sending ETH inside claimFaucetTokens(), credit users with a pending ETH balance:

  1. Update all internal state (effects) first.

  2. Record pendingSepEth[caller].

  3. Let users call a separate withdrawSepEth() function to claim their ETH.

mapping(address => uint256) public pendingSepEth;
function withdrawSepEth() external nonReentrant {
uint256 amount = pendingSepEth[msg.sender];
require(amount > 0, "no eth to withdraw");
pendingSepEth[msg.sender] = 0;
(bool ok, ) = msg.sender.call{ value: amount }("");
require(ok, "ETH transfer failed");
emit SepEthDripped(msg.sender, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 17 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.