Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

L03. Off-by-One Balance Check Prevents Final Valid Claim

accessdenied

Root + Impact

Description

  • Normal behavior: The faucet should allow a user to claim tokens as long as the contract holds at least one full drip amount (faucetDrip). When the contract balance is exactly equal to faucetDrip, the last claimant should be able to withdraw that amount and reduce the contract balance to zero.

  • Specific issue: The contract currently reverts when the contract balance is equal to faucetDrip because it uses <= instead of < in the balance check. As a result, the final valid claim is blocked and a full drip worth of tokens can become permanently stuck in the faucet.

// Root cause in the codebase with @> marks to highlight the relevant section
if (balanceOf(address(this)) @> <= @> faucetDrip) {
revert RaiseBoxFaucet_InsufficientContractBalance();
}

Risk

Likelihood:

  • The condition occurs whenever the faucet balance reaches the exact drip amount after prior claims or administrative burns/mints, which is a normal terminal state as tokens are consumed.

  • Routine operations (multiple users claiming over time) will eventually leave the faucet with exactly one drip amount remaining; when that happens, claims become impossible until the owner tops up the contract.

Impact:

  • The last full drip becomes unrecoverable by normal claimers, effectively locking tokens in the contract until the owner intervenes.

  • Loss of expected user experience and trust: the faucet will appear to hold tokens but refuse to dispense the final drip, potentially causing confusion and administrative overhead.

Proof of Concept

pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../src/RaiseBoxFaucet.sol";
contract PoC is Test {
RaiseBoxFaucet faucet;
address attacker = address(0xBEEF);
function setUp() public {
faucet = new RaiseBoxFaucet("RB", "RB", 1000 * 10**18, 0.005 ether, 1 ether);
// Transfer all but one drip to other addresses to simulate depletion
uint256 initial = faucet.getFaucetTotalSupply();
uint256 toDrain = initial - (1000 * 10**18); // leave exactly one drip
// Owner mints/drains via existing functions; simulate by transferring to an address
// For brevity in PoC, assume faucet already has exactly faucetDrip tokens remaining
}
function testFinalClaimBlocked() public {
// Precondition: faucet balance is exactly faucet.faucetDrip()
assertEq(faucet.getFaucetTotalSupply(), faucet.faucetDrip());
// Caller attempts to claim the final drip
vm.prank(attacker);
vm.expectRevert(RaiseBoxFaucet.RaiseBoxFaucet_InsufficientContractBalance.selector);
faucet.claimFaucetTokens();
// Correct behavior would have allowed the claim and reduced faucet balance to 0
assertEq(faucet.getFaucetTotalSupply(), faucet.faucetDrip());
}
}

Explanation: This PoC simulates the faucet being reduced to exactly one faucetDrip unit. The test shows that calling claimFaucetTokens() reverts with InsufficientContractBalance, preventing the rightful final claim. The expected correct behavior is a successful claim that reduces the faucet balance to zero.

Recommended Mitigation

Change the comparison to require the contract hold strictly less than the drip amount to revert — allowing claims when the contract balance is exactly equal to faucetDrip.

Short explanation: Using < lets the last valid claim succeed when the contract balance equals the drip amount, preventing tokens from being stuck.

- remove this code
- if (balanceOf(address(this)) <= faucetDrip) {
- revert RaiseBoxFaucet_InsufficientContractBalance();
- }
+ add this code
+ if (balanceOf(address(this)) < faucetDrip) {
+ revert RaiseBoxFaucet_InsufficientContractBalance();
+ }
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Off-by-one error in `claimFaucetTokens` prevents claiming when the balance is exactly equal to faucetDrip

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.