Raisebox Faucet

First Flight #50

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

Incorrect Daily Claim Limit Configuration

mostafapahlevani93

Root + Impact

Description

The faucet is designed to allow 1000 token claims per day to support adequate testing activity for the testnet protocol. This daily limit controls how many users can claim faucet tokens within a 24-hour period and is a critical parameter for the faucet's operational capacity.

The dailyClaimLimit is incorrectly initialized to 100 instead of 1000, artificially restricting the number of daily claims to 10% of the intended capacity. This severely limits the faucet's utility for testnet operations and contradicts the protocol's stated requirements in the contract documentation.

// src/RaiseBoxFaucet.sol

uint256 public dailyClaimLimit = 100; //issue:Must be 1000 // @> Initialized to 100 instead of 1000

Risk

Likelihood:

The contract will deploy with this incorrect value and immediately begin enforcing the wrong limit from day one
Every single day of operation will be affected by this misconfiguration until manually adjusted by the owner
The issue exists in the initial state variable declaration, making it unavoidable without code changes

Impact:

Only 100 users can claim tokens daily instead of the intended 1000, reducing testnet participation by 90%
Legitimate users will be blocked from claiming tokens after the 100th claim of the day, causing user frustration
The testnet protocol that depends on these tokens will have insufficient users for proper testing and quality assurance
The owner must manually call adjustDailyClaimLimit() after deployment to fix this, incurring additional gas costs
This reduces the faucet's effectiveness for its primary purpose: distributing test tokens to enable protocol testing

Proof of Concept

This scenario demonstrates how the incorrect limit blocks legitimate users:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.30;

import "forge-std/Test.sol";

import "../src/RaiseBoxFaucet.sol";

contract DailyClaimLimitTest is Test {

RaiseBoxFaucet public faucet;

address public owner;

function setUp() public {

owner = address(this);

// Deploy faucet with standard parameters

faucet = new RaiseBoxFaucet(

"RaiseBox Token",

"RBT",

1000 * 10**18, // faucetDrip: 1000 tokens per claim

0.005 ether, // sepEthDrip: 0.005 ETH per first-time claim

1 ether // dailySepEthCap: 1 ETH per day

);

// Fund the faucet with ETH

vm.deal(address(faucet), 10 ether);

}

function test_DailyClaimLimitTooLow() public {

// Verify the dailyClaimLimit is incorrectly set to 100

assertEq(faucet.dailyClaimLimit(), 100);

console.log("Daily Claim Limit:", faucet.dailyClaimLimit());

console.log("Expected Daily Claim Limit: 1000");

// Simulate 100 users successfully claiming (fills the daily limit)

for (uint160 i = 1; i <= 100; i++) {

address user = address(i);

vm.prank(user);

faucet.claimFaucetTokens();

assertEq(faucet.getBalance(user), 1000 * 10**18);

}

console.log("100 users claimed successfully");

console.log("Daily claim count:", faucet.dailyClaimCount());

// The 101st user attempts to claim but gets reverted

address user101 = address(101);

vm.prank(user101);

vm.expectRevert(RaiseBoxFaucet.RaiseBoxFaucet_DailyClaimLimitReached.selector);

faucet.claimFaucetTokens();

console.log("User 101 blocked - cannot claim tokens");

// All users from 101 to 1000 are also blocked

// This demonstrates that 900 legitimate users are prevented from claiming

// even though the faucet should support 1000 claims per day

// Verify contract still has plenty of tokens available

uint256 remainingTokens = faucet.getFaucetTotalSupply();

console.log("Remaining faucet tokens:", remainingTokens / 10**18);

assertGt(remainingTokens, 900_000 * 10**18); // More than enough for 900 more users

// The only way to fix this is for the owner to manually adjust the limit

// which costs gas and delays the fix

}

function test_OwnerMustManuallyFix() public {

// Owner realizes the issue and must call adjustDailyClaimLimit

// This incurs additional gas costs that could have been avoided

// Increase limit by 900 to reach the intended 1000

faucet.adjustDailyClaimLimit(900, true);

assertEq(faucet.dailyClaimLimit(), 1000);

console.log("Owner had to manually fix the limit (additional gas cost)");

}

Recommended Mitigation

Change the initial value of dailyClaimLimit from 100 to 1000 to match the protocol specification. This ensures the faucet operates at the intended capacity from deployment without requiring manual intervention.

// src/RaiseBoxFaucet.sol:18

- uint256 public dailyClaimLimit = 100;

+ uint256 public dailyClaimLimit = 1000;

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

157

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.