Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

[H-01] Global `RaiseBoxFaucet::faucetClaimer` Variable Misuse

shahparv1310

The contract declares faucetClaimer as a state variable, but it is only used inside the RaiseBoxFaucet::claimFaucetTokensfunction.
This introduces unnecessary storage writes and increases gas costs. Worse, it creates a persistent state variable that could be accidentally reused or manipulated in future logic, leading to unintended behavior.

Impact:

1.Unnecessary gas cost due to persistent storage writes.

2.State pollution: the variable persists across transactions.

3.Risk of accidental misuse in future contract upgrades or logic.

4.Reduces clarity and violates the principle of least privilege.

Proof of Concept :

Put this test on the RaiseBoxFaucet.t.sol

function testGlobalFaucetClaimerPersists() public {
// First user claims
vm.prank(user1);
faucet.claimFaucetTokens();
// Check faucetClaimer is user1
address claimerAfterUser1 = faucet.faucetClaimer();
assertEq(claimerAfterUser1, user1, "faucetClaimer should be user1");
// Advance time to bypass cooldown
vm.warp(block.timestamp + 3 days);
// Second user claims
vm.prank(user2);
faucet.claimFaucetTokens();
// Check faucetClaimer is now user2
address claimerAfterUser2 = faucet.faucetClaimer();
assertEq(claimerAfterUser2, user2, "faucetClaimer should be user2");
}

Recommended Mitigation:

Replace the global state variable with a local variable inside the function.

- address public faucetClaimer;
+ // REMOVE global faucetClaimer declaration
function claimFaucetTokens() public {
- faucetClaimer = msg.sender;
+ address faucetClaimer = msg.sender;
...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.