Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Repeat claims reset `dailyDrips`

kskducjjklllkk

Description

Normal behavior

  • dailyDrips should reset only when a new day start

Issue

  • The contract incorrectly resets dailyDrips in the else branch when executing ETH claims for users already claiming:

  • Line: 212

function claimFaucetTokens() public {
//...
if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {
//...
} else {
dailyDrips = 0;
}
//...
}
```

Risk

Likelihood:

  • Any address that has claimed ETH before and waited 3-day cooldown can claim again to reset dailyDrips

Impact:

  • Daily ETH distribution cap can be bypassed

  • Faucet ETH balance can be drained faster than intended

  • Disrupts fair distribution mechanism

Proof of Concept

Textual PoC

  1. Claimer claims ETH for the first time.

  2. After 3 days, the claimer claims again, which'll reset dailyDrips to 0.

Coded PoC

function test_dailyDripsReset() public {
// First claim - should work normally
vm.prank(user1);
raiseBoxFaucet.claimFaucetTokens();
// User1 calls again - this resets dailyDrips
vm.warp(block.timestamp + 3 days);
vm.prank(user1);
raiseBoxFaucet.claimFaucetTokens();
vm.assertTrue(raiseBoxFaucet.dailyDrips() == 0, "dailyDrips should be reset to 0 after user1's second claim");
}

Recommended Mitigation

Remove the incorrect reset:

function claimFaucetTokens() public {
//...
if (!hasClaimedEth[faucetClaimer] && !sepEthDripsPaused) {
//...
}
- else {
- dailyDrips = 0;
- }
}

This ensures dailyDrips is only reset at day boundaries and cannot be manipulated by repeat callers.

Updates

Lead Judging Commences

inallhonesty Lead Judge 14 days ago
Submission Judgement Published
Validated
Assigned finding tags:

dailyDrips Reset Bug

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.