Misleading caller restriction (contracts not actually blocked)
Description:
The check behind RaiseBoxFaucet_OwnerOrZeroOrContractAddressCannotCallClaim only blocks the owner and the faucet contract itself. Other contracts can call claimFaucetTokens just fine. If the intent was to block all contracts (which has trade-offs and can be bypassed), an 'isContract'-style check is missing.
Impact
Misaligned assumptions: integrators may believe contract callers are disallowed while they’re not.
If business logic or threat model relied on “EOA-only,” it doesn’t hold.
Mitigation:
If truly required (be mindful: EOAs vs contracts is not a strong security boundary), check 'tx.origin == msg.sender', or better: '!isContract(msg.sender)' using 'extcodesize' but note it can be bypassed during construction and harms proxy/AA wallets. Prefer allowlists/role-gating over brittle contract-detection.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.