Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

mintFaucetTokens Lacks Supply Cap, Allowing for Infinite Minting

folijr01

Root + Impact

Description

The mintFaucetTokens function allows the owner to mint new tokens when the faucet's supply is low. However, the function only checks if the current balance is greater than 1000 * 10 ** 18 and has no upper limit or total supply cap. This allows the owner to repeatedly burn tokens to get below the threshold and then mint an arbitrarily large amount, effectively allowing for infinite token creation over time.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

This occurs whenever the owner decides to mint new tokens.
The owner calls burnFaucetTokens followed by mintFaucetTokens in succession.

Impact:

The total supply of the token can be inflated infinitely, which devalues the token and undermines the economic principles of any protocol that might use it in the future.
This represents a significant centralization risk, as the owner has unchecked control over the token supply.

Proof of Concept

function mintFaucetTokens(address to, uint256 amount) public onlyOwner {

// ...

if (balanceOf(address(to)) > 1000 * 10 ** 18) {

revert RaiseBoxFaucet_FaucetNotOutOfTokens();

}

_mint(to, amount); // No cap on the `amount` parameter

}

Recommended Mitigation

- remove this code

+ uint256 public constant MAX_TOTAL_SUPPLY = 2000000000 * 10 ** 18; // Example cap

function mintFaucetTokens(address to, uint256 amount) public onlyOwner {

if (to != address(this)) {

revert RaiseBoxFaucet_MiningToNonContractAddressFailed();

}

+ require(totalSupply() + amount <= MAX_TOTAL_SUPPLY, "Max supply exceeded");

if (balanceOf(address(to)) > 1000 * 10 ** 18) {

revert RaiseBoxFaucet_FaucetNotOutOfTokens();

}

_mint(to, amount);

emit MintedNewFaucetTokens(to, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!