Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Repeat claims reset `dailyDrips`

Author Revealed upon completion

Description

Normal behavior

  • dailyDrips should reset only when a new day start

Issue

  • The contract incorrectly resets dailyDrips in the else branch when executing ETH claims for users already claiming:

  • Line: 212

function claimFaucetTokens() public {
//...
if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {
//...
} else {
dailyDrips = 0;
}
//...
}
```

Risk

Likelihood:

  • Any address that has claimed ETH before and waited 3-day cooldown can claim again to reset dailyDrips

Impact:

  • Daily ETH distribution cap can be bypassed

  • Faucet ETH balance can be drained faster than intended

  • Disrupts fair distribution mechanism

Proof of Concept

Textual PoC

  1. Claimer claims ETH for the first time.

  2. After 3 days, the claimer claims again, which'll reset dailyDrips to 0.

Coded PoC

function test_dailyDripsReset() public {
// First claim - should work normally
vm.prank(user1);
raiseBoxFaucet.claimFaucetTokens();
// User1 calls again - this resets dailyDrips
vm.warp(block.timestamp + 3 days);
vm.prank(user1);
raiseBoxFaucet.claimFaucetTokens();
vm.assertTrue(raiseBoxFaucet.dailyDrips() == 0, "dailyDrips should be reset to 0 after user1's second claim");
}

Recommended Mitigation

Remove the incorrect reset:

function claimFaucetTokens() public {
//...
if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {
//...
}
- else {
- dailyDrips = 0;
- }
}

This ensures dailyDrips is only reset at day boundaries and cannot be manipulated by repeat callers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.