Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Title: Incorrect Ownable Constructor Usage in RaiseBoxFaucet

_okchev

Root + Impact

Description

Normally, the Ownable contract from OpenZeppelin automatically assigns the deployer msg.sender as the contract owner when inherited. This allows only the owner to call privileged functions such as mintFaucetTokens, burnFaucetTokens, and refillSepEth.

In the current constructor of RaiseBoxFaucet, the code attempts to pass msg.sender to Ownable using Ownable(msg.sender). Modern OpenZeppelin versions do not support a constructor with parameters, so this causes either a compilation error or results in the owner being unset address(0), breaking all onlyOwner functionality.

constructor(

string memory name_,

string memory symbol_,

uint256 faucetDrip_,

uint256 sepEthDrip_,

uint256 dailySepEthCap_

) ERC20(name_, symbol_) Ownable(@>msg.sender@>) {

faucetDrip = faucetDrip_;

sepEthAmountToDrip = sepEthDrip_;

dailySepEthCap = dailySepEthCap_;

_mint(address(this), INITIAL_SUPPLY);

}

Risk

Likelihood:

Occurs during deployment with OpenZeppelin v4.7.0 or later where Ownable no longer has a constructor that accepts parameters.
Developers may deploy the contract assuming msg.sender is owner, but owner() could be address(0), leaving all onlyOwner functions inaccessible.

Impact:

Owner-only functions such as minting, burning, ETH refills, and pausing drips become permanently uncallable.
Funds (both faucet tokens and ETH) may be permanently locked in the contract due to the inability to manage or withdraw them.

Proof of Concept

// Deploying the contract with OpenZeppelin v4.8.0+

contract TestFail {

RaiseBoxFaucet faucet;

function deployFail() external {

faucet = new RaiseBoxFaucet("Test", "TST", 1000, 0.005 ether, 1 ether);

// Attempting faucet.owner() returns 0x0 or compilation fails

}

Recommended Mitigation

- constructor(

- string memory name_,

- string memory symbol_,

- uint256 faucetDrip_,

- uint256 sepEthDrip_,

- uint256 dailySepEthCap_

- ) ERC20(name_, symbol_) Ownable(msg.sender) {

+ constructor(

+ string memory name_,

+ string memory symbol_,

+ uint256 faucetDrip_,

+ uint256 sepEthDrip_,

+ uint256 dailySepEthCap_

+ ) ERC20(name_, symbol_) Ownable() {

faucetDrip = faucetDrip_;

sepEthAmountToDrip = sepEthDrip_;

dailySepEthCap = dailySepEthCap_;

_mint(address(this), INITIAL_SUPPLY);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.