Root + Impact

Description

• The dailyDrips variable is intended to maintain an accurate cumulative total of all Sepolia ETH distributed by the faucet within a 24-hour period, ensuring the contract does not exceed the defined dailySepEthCap per day.​

• A logic flaw in the else block of the claimFaucetTokens() function resets the dailyDrips counter to 0 whenever a user who has already claimed ETH or when the drip system is paused, triggering the function. This erroneous reset makes the faucet forget previously distributed amounts, allowing it to distribute far more ETH than the daily limit.

Risk

Likelihood:

• Occurs anytime an ineligible user (already claimed or paused) calls claimFaucetTokens(). Something frequent in active faucet systems.​

• Attackers or normal users can deliberately alternate between first-time claimers and previous claimers to continuously reset dailyDrips and exceed the dailySepEthCap limit.​

Impact:

• The contract can exceed the daily ETH limit and drain the faucet early.

• This undermines the entire cap mechanism, leading to uncontrolled fund distribution and system insolvency risks.

Proof of Concept

1. Assuming a dailySepEthCap = 0.005 ETH.

2. User A (first-time claimer) calls claimFaucetTokens(): Receives 0.005 ETH -> dailyDrips = 0.005 ETH.

3. User A calls again: hasClaimedEth\[UserA] == true -> triggers else block -> resets dailyDrips = 0.

4. User B (first-time claimer) calls: dailyDrips appears as 0 again -> passes cap check -> distributes 0.005 ETH.

Code:

By alternating such calls, users can drain well beyond the intended cap without triggering limits.

Recommended Mitigation

• Remove the else block that resets dailyDrips.

• For non-eligible users (already claimed or paused), simply skip distribution instead of modifying dailyDrips.

• Reset dailyDrips only when a new day begins using timestamp-based checks: