RustFund

First Flight #36
Beginner FriendlyRust
100 EXP
View results
Submission Details
Severity: high
Valid

Withdraw() Function Lacks Deadline and Goal Achievement Checks

Summary

The withdraw function currently allows the campaign creator to claim the raised funds without verifying that the campaign's deadline has passed and that the funding goal has been met. This can lead to premature withdrawals, undermining the crowdfunding mechanism.

Vulnerability Details

In the withdraw function, funds are transferred to the creator based solely on the amount_raised variable. There are no checks to ensure that:

  • The campaign deadline has been reached, ensuring that the fundraising period has ended.

  • The funding goal has been achieved, which is a precondition for a successful campaign according to project requirements.

Without these verifications, the creator could potentially withdraw funds before the campaign is concluded or even if the campaign fails to meet its goal, thereby violating the trust model of the platform.

Impact

  • Premature Fund Withdrawal: The creator may withdraw funds before the campaign's end, denying contributors their right to a refund if the goal is not met.

  • Campaign Integrity Compromise: Contributors may lose confidence in the platform if funds are accessible before campaign conditions are fully satisfied.

  • Financial Discrepancy: Incorrect handling of funds could lead to disputes and mismanagement, affecting both the campaign's success and overall platform reliability.

Tools Used

  • Manual code review

  • Static analysis of business logic

Recommendations

  • Add Deadline Check: Modify the withdraw function to ensure that funds can only be withdrawn after the campaign deadline has passed. For example:

    let current_timestamp: u64 = Clock::get()?.unix_timestamp.try_into().unwrap();
    if current_timestamp < fund.deadline {
    return Err(ErrorCode::DeadlineNotReached.into());
    }
  • Add Goal Achievement Check: Include a condition to verify that the funding goal was met before allowing withdrawals:

    if fund.amount_raised < fund.goal {
    return Err(ErrorCode::GoalNotReached.into());
    }
  • Update Error Codes: Add appropriate error variants such as DeadlineNotReached and GoalNotReached in the ErrorCode enum.

Updates

Appeal created

bube Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.