Root + Impact

Description

• The burnFaucetTokens function incorrectly burns all tokens held by the contract, regardless of the intended burn amount. Instead of reducing the supply by a specific number of tokens (e.g., user-specified or function-defined amount), it transfers the entire token balance to the burn address (address(0) or a designated burn wallet). This results in excessive token destruction and a potential total depletion of the faucet’s token reserves.

Risk

Likelihood:

• The likelihood of this issue being exploited or triggered is high, because the function itself directly performs the erroneous burn action without validation. Any user interaction, scheduled task, or automated call that invokes burnFaucetTokens could unintentionally trigger this total-burn scenario. In addition, since the bug is purely logical and not dependent on external attackers, it can be easily reproduced or occur under normal operation.

  
  

Impact:

• This issue is considered critical, as it can cause permanent loss of all tokens stored in the faucet contract. Once tokens are burned, they cannot be recovered. This not only disrupts the faucet’s functionality but could also lead to token scarcity or total supply imbalance, damaging the integrity and usability of the token ecosystem.

  
  

Recommended Mitigation