Contribution Amounts Not Tracked in contribute() Function
Summary
The contribute function fails to update the contributor's recorded contribution amount after transferring SOL. As a result, refund requests later rely on an uninitialized or zero amount, leading to potential financial loss for contributors.
Vulnerability Details
-
Affected Code:
pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {// ... transfer happens ...// Missing: contribution.amount += amount; // <-- VULNERABILITYfund.amount_raised += amount;Ok(())} -
Attack Vector: When users contribute SOL, their individual contribution amounts are never recorded. The
Contributionaccount remains at its initialized value of 0. -
Root Cause: Failure to update
contribution.amountafter processing transfers.
Impact
All contributors will receive 0 SOL when requesting refunds
Permanent loss of contributed funds for users
Complete failure of core refund functionality
High severity due to direct financial loss to users
Tools Used
Manual code review
Anchor framework context analysis
Recommendations
Immediately update the contribute function to record the contribution amount.
-
Use safe arithmetic methods (e.g.,
checked_add) to update thecontribution.amountfield after the SOL transfer. -
Update the contribution amount after successful transfers.
contribution.amount = contribution.amount.checked_add(amount).ok_or(ErrorCode::CalculationOverflow)?;
Appeal created
Contribution amount is not updated
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.