Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

Risk of centralization - The contract is centrally controlled by an owner which is against the Web3 principals.

Author Revealed upon completion

Root + Impact

Description

Obviously, the contract is controlled by the owner (the person or account that has deployed it). Thereore, they are capabale of doing almost anything with the contract, such as pausing it forever, adjusting the limits too low that make the faucet contract literally unusable, etc.
The following is one example.

function adjustDailyClaimLimit(

uint256 by,

bool increaseClaimLimit

@> ) public onlyOwner {

if (increaseClaimLimit) {

dailyClaimLimit += by;

} else {

if (by > dailyClaimLimit) {

revert RaiseBoxFaucet_CurrentClaimLimitIsLessThanBy();

}

dailyClaimLimit -= by;

}

Risk

Likelihood: Low

Inspite of the power to make damages to the system, it is less likely the owner would do so. However, they can if they decide to. They may even do it accidentally.

Impact: High

Due to the permissions which are given to the owner, they can make harmful adjustments to get the contract stop working.

Proof of Concept

Please copy and paste the following code to the test file, and run it.

function testOwnerCanTamperWithTheContract() public {

// The owner can pause the contract forever

// Arrange & Act

vm.prank(owner);

raiseBoxFaucet.toggleEthDripPause(true); // Users cannot get Sepolia ETH from the faucet anymore

vm.prank(user1);

uint256 user1InitialEthBalance = address(user1).balance;

raiseBoxFaucet.claimFaucetTokens();

uint256 user1FinalEthBalance = address(user1).balance;

// Assert

assert(user1InitialEthBalance == user1FinalEthBalance);

// The owner can set the dailyClaimLimits too low to run the contract unusable

// Arrange & Act

vm.prank(owner);

raiseBoxFaucet.adjustDailyClaimLimit(99, false); // Reduce from 100 to 1

// Assert

vm.prank(user2);

vm.expectRevert(); // user1 has already used the daily limit

raiseBoxFaucet.claimFaucetTokens();

}

Recommended Mitigation

Consider replacing the one owner with a multi-sig wallet or even better, with a DAO.

Updates

Lead Judging Commences

inallhonesty Lead Judge 1 day ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

View preliminary results

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.