Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Improper Use of faucetClaimer State Variable

jericho

Root + Impact

Description

In the claimFaucetTokens() function, the contract includes the following line:

faucetClaimer = msg.sender;

The variable faucetClaimer is declared as a persistent state variable, but it is only used to temporarily hold the caller’s address.

Since this variable is overwritten with every call, it does not have any meaningful persistence.

Moreover, the public getter getClaimer() returns the previous caller’s address, which could mislead front-end or off-chain services relying on it for identifying the current claimer.

This also wastes gas, because writing to storage costs significantly more than using a local (memory) variable—approximately 20,000 gas per write operation.

Risk

Impact:

External systems may incorrectly assume getClaimer() reflects the current user, causing state misinterpretation or logic errors.
Every claim unnecessarily writes to storage, increasing gas costs.

Proof of Concept

Recommended Mitigation

diff --git a/src/RaiseBoxFaucet.sol b/src/RaiseBoxFaucet.sol

index 6d83795..0255944 100644

--- a/src/RaiseBoxFaucet.sol

+++ b/src/RaiseBoxFaucet.sol

@@ -11,8 +11,6 @@ contract RaiseBoxFaucet is ERC20, Ownable {

mapping(address => uint256) private lastClaimTime;

mapping(address => bool) private hasClaimedEth;

- address public faucetClaimer;

uint256 public constant CLAIM_COOLDOWN = 3 days;

uint256 public dailyClaimLimit = 100;

@@ -58,7 +56,6 @@ contract RaiseBoxFaucet is ERC20, Ownable {

uint256 sepEthDrip_,

uint256 dailySepEthCap_

) ERC20(name_, symbol_) Ownable(msg.sender) {

faucetDrip = faucetDrip_;

sepEthAmountToDrip = sepEthDrip_;

dailySepEthCap = dailySepEthCap_;

@@ -160,7 +157,7 @@ contract RaiseBoxFaucet is ERC20, Ownable {

function claimFaucetTokens() public {

// Checks

- faucetClaimer = msg.sender;

+ address faucetClaimer = msg.sender;

// (lastClaimTime[faucetClaimer] == 0);

@@ -275,10 +272,6 @@ contract RaiseBoxFaucet is ERC20, Ownable {

return balanceOf(user);

}

- function getClaimer() public view returns (address) {

- return faucetClaimer;

- }

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.