RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

(High) Missing creator check incorrect deadline

xyizko

Summary

The refund function has two critical flaws:

Missing Contributor Check: It does not verify that the caller is actually the contributor associated with the contribution account, and only checks that the contributor signer is the same as in the account. This allows anyone to refund a contribution belonging to someone else.
Incorrect Deadline Check: It checks if the deadline is not 0, which can cause the program to incorrectly allow funds, since the default value of a u64 is 0.

Vulnerability Details

Missing Contributor Check:
The refund function (programs/rustfund/src/lib.rs, intends to allow a contributor to get a refund if the deadline has passed and the goal hasn't been met. However, it only verifies that the contributor is a signer and is the same as in the contribution account, but it does not actually check anything else to prevent unauthorized refunds. Specifically, the constraints on the contribution account:

#[account(
mut,
seeds = [fund.key().as_ref(), contributor.key().as_ref()],
bump,
has_one=contributor, //Only Check added
has_one=fund //Only Check added
)]
only validate that contributor is a signer and the same as in the contribution account. It doesn't prevent a different user from calling refund with another user's contribution account, as long as they provide the correct seeds.
Incorrect Deadline Check:
The refund function has an incorrect deadline check:

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}
This means that the program will check that the deadline is not zero and that deadline is greater than the unix_timestamp which is incorrect. If the campaign has met its deadline the deadline will be greater than the unix_timestamp.

Impact

High:
1. Missing Contributor Check: A malicious user can steal funds by refunding contributions made by other users to themselves. They simply need to know the fund and the target contributor's public key to construct the correct contribution PDA and call the refund function.
2. Incorrect Deadline Check: A user can refund funds anytime, as long as the deadline is set.

Tools Used

Manual code review
Solana transaction simulation (to verify the lack of proper checks)

Recommendations

Enforce Contributor Verification:
We need to check the contributor signer key, with the contributor key present in the contribution account
Remove has_one=contributor
Fix Deadline Check:
Check the deadline in the refund method:

if ctx.accounts.fund.deadline == 0 || ctx.accounts.fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap()

Updates

Appeal created

bube Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.