RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Premature Fund Contributions Before Deadline Is Set

0xkmr_

Summary

The protocol Allows users to contribute to the fund before the creator has set a deadline. This premature contribution capability creates uncertainty for the contributors.

Vulnerability Details

In the contribute function, there is a check that verifies wheather the deadline has passed, but it incorrectly allows the contributions when no deadline is set (whenfund.deadline is 0 ).

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
let contribution = &mut ctx.accounts.contribution;
if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineReached.into());
}
}

Due to the use of AND (&&) operator in the condition, the function only blocks contributions when both:

  1. A deadline has been set (fund.deadline != 0 )

  2. The deadline has passed (fund.deadline < current_time)

This means that when fund.deadline is 0 (its initial value when a fund is created ), the first condition is false, making the entire condition false regardless of the second condition, and allowing contricutions to proceed.

Impact

Medium

Tools Used

Manual Review

Recommendations

if fund.deadline == 0 {
return Err(ErrorCode::DeadlineNotSet.into());
}

Add the above code snippet.

Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[Invalid] Contributions are allowed before the deadline is initialized.

There is no problem users to contribute to a given campaign before the deadline is initialized. The issue is when the users refund before the deadline is set.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.