Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

Missing Event Emission on Daily Claim Limit Adjustment

0xscratch

No events emitted within `adjustDailyClaimLimit`, hindering transparency and off-chain tracking of critical parameter changes

Description

The RaiseBoxFaucet::adjustDailyClaimLimit function allows the owner to modify the dailyClaimLimit, which controls how many users can claim tokens each day. However, the function does not emit any events — like the rest of critical state-changing functions — when the limit is adjusted, making it difficult for off-chain systems and users to track changes to this important parameter.
With this, users will never know when the dailyClaimLimit has been changed, and by how much. Even Slither highlights this issue, and somehow considers it important: Missing events arithmetic

function adjustDailyClaimLimit(uint256 by, bool increaseClaimLimit) public onlyOwner {
if (increaseClaimLimit) {
dailyClaimLimit += by;
} else {
if (by > dailyClaimLimit) {
revert RaiseBoxFaucet_CurrentClaimLimitIsLessThanBy();
}
dailyClaimLimit -= by;
}
@> // No event emitted here to indicate the change in dailyClaimLimit
}

Risk

Likelihood: Medium

The owner may frequently adjust the dailyClaimLimit based on user demand or operational needs, making it likely that changes will go unnoticed without event logging.

Impact: Low

Lack of event logging reduces transparency and makes it harder for users and off-chain systems to monitor changes, but does not directly affect contract functionality or security.

Proof of Concept

We can talk about two scenarios here:
1. Scenario_1: A user wanted to claim tokens, but somehow the dailyClaimLimit has already been reached. So the user decides to wait for the next day. However, in the meantime, the owner has increased the dailyClaimLimit to allow more users to claim tokens. But the user has no way of knowing this change, and thus, he misses out on the opportunity to claim tokens.
2. Scenario_2: A user checks that he can still claim tokens today and decides to do so. However, as he calls the claimFaucetTokens function, it reverts because the dailyClaimLimit was already decreased by the owner, of which he had no idea.
Both scenarios highlight the importance of event logging for critical state changes, as it helps users stay informed and make better decisions.

Recommended Mitigation

An event should be emitted whenever the dailyClaimLimit is adjusted.

+ event NewDailyClaimLimit(uint256 newLimit);

...

function adjustDailyClaimLimit(uint256 by, bool increaseClaimLimit) public onlyOwner {

if (increaseClaimLimit) {

dailyClaimLimit += by;

} else {

if (by > dailyClaimLimit) {

revert RaiseBoxFaucet_CurrentClaimLimitIsLessThanBy();

}

dailyClaimLimit -= by;

}

+ emit NewDailyClaimLimit(dailyClaimLimit);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 17 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.