Root + Impact

Description

• Normal Behavior:
  The mintFaucetTokens function is designed to allow the contract owner to mint tokens to the faucet (i.e., the contract itself), but only when the faucet is empty or nearly empty. The custom error RaiseBoxFaucet_FaucetNotOutOfTokens() suggests that minting should only be allowed when the faucet is out of tokens.

  Vulnerability:
  The current balance check only verifies that the existing balance is not above the threshold.

  function mintFaucetTokens(address to, uint256 amount) public onlyOwner {

  if (to != address(this)) {

  revert RaiseBoxFaucet_MiningToNonContractAddressFailed();

  }

  ​

  // @> Incorrect logic: only checks current balance, not future balance after mint

  if (balanceOf(address(to)) > 1000 * 10 ** 18) {

  revert RaiseBoxFaucet_FaucetNotOutOfTokens();

  }

  ​

  _mint(to, amount);

  emit MintedNewFaucetTokens(to, amount);

  }

Risk

Likelihood:

• This issue will occur any time the contract balance is just the 1000-token threshold and the owner mints an amount that pushes it over the limit.

Impact:

• Faucet can exceed its intended token cap, breaking supply control.

• Inconsistent behavior between actual logic and what the error name implies (i.e., “faucet not out of tokens” firing incorrectly).

Proof of Concept:

The line says:

So here the token initially minted was 1000000000 so it the token issued is 1000 at a time then it must have 1000 at the end. That means the 1000 token still in the faucet and it is not out of tokens. And if the future tokens are minted then it must be multiple of 1000. So it clearly states that the check must be

Recommended Mitigation