Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

dailyDrips Incorrectly Resets on Subsequent Claims

0xnigthswatch

Description

  • Normally, the claimFaucetTokens function allows a user to claim SepETH only once and faucet tokens repeatedly. The dailyDrips variable tracks the total SepETH distributed per day and should accumulate correctly across all users’ first-time claims.

  • The issue occurs when a user who has already claimed SepETH tries to claim faucet tokens again. Instead of skipping the SepETH drip and only giving faucet tokens, the dailyDrips counter incorrectly resets to zero, breaking the daily accounting logic.

function claimFaucetTokens() public {
// rest of the code
}
} else {
@> dailyDrips = 0;
}

Risk

Likelihood:

  • Occurs whenever a user who has already claimed SepETH attempts to claim faucet tokens again.

  • Can happen multiple times across users in the same day if the function logic incorrectly resets dailyDrips after any repeat claim.

Impact:

  • dailyDrips tracking becomes inaccurate, affecting reporting and any logic that depends on total daily SepETH distribution.

  • Since dailyDrips reset to 0 when non-first-SepEth claimer call to claim, the users will drain contract SepEth value disregarding the dailyDrips limit

Proof of Concept

function test_claimFaucetTokens_not_claiming_SepEth_reset_dailyDrips()
public
{
// Day 1: User1 first claim
vm.prank(user1);
raiseBoxFaucet.claimFaucetTokens();
// Assert dailyDrips increased and user received SepETH + tokens
uint256 dailyDripsAfterUser1 = raiseBoxFaucet.dailyDrips();
console.log(
"DailyDrips after user1 first claim:",
dailyDripsAfterUser1
);
assertEq(
user1.balance,
raiseBoxFaucet.sepEthAmountToDrip(),
"User1 SepETH balance incorrect"
);
assertEq(
raiseBoxFaucet.getBalance(user1),
raiseBoxFaucet.faucetDrip(),
"User1 token balance incorrect"
);
// Fast-forward 3 days (simulate cooldown)
vm.warp(block.timestamp + 3 days + 1);
// Day 4: User2 first claim
vm.prank(user2);
raiseBoxFaucet.claimFaucetTokens();
// Capture dailyDrips after User2 claim
uint256 dailyDripsAfterUser2 = raiseBoxFaucet.dailyDrips();
console.log(
"DailyDrips after user2 first claim:",
dailyDripsAfterUser2
);
// Assert dailyDrips incremented correctly
assertEq(
dailyDripsAfterUser2,
raiseBoxFaucet.sepEthAmountToDrip(),
"dailyDrips did not accumulate correctly"
);
// User1 claims again on day 4 (already claimed SepETH)
// Should only claim faucet tokens, SepETH not dripped
vm.prank(user1);
raiseBoxFaucet.claimFaucetTokens();
// Confirm bug: dailyDrips resets to zero
uint256 dailyDripsAfterUser1SecondClaim = raiseBoxFaucet.dailyDrips();
console.log(
"DailyDrips after user1 second claim:",
dailyDripsAfterUser1SecondClaim
);
assertEq(
dailyDripsAfterUser1SecondClaim,
0
);
}

Recommended Mitigation

There is no need to reset dailyDrips to zero if the user is no eligible to claim SepEth

- } else {
- dailyDrips = 0;
- }
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 days ago
Submission Judgement Published
Validated
Assigned finding tags:

dailyDrips Reset Bug

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.