Not enough checks on the creator account stored in the Fund struct account.
In the fund_create
function , after the fund.creator has been initilialized and been made to be the ctx.creator.key(), there is no explicit check to properly confirm the creator stored in the Fund account is truly the one who initlialized the function.
This can lead to incorrect data if not specified or checked well which. If creators are to be rewarded in some way, the funds will not reach them, if the Fund account details are used explicitly.
Manual review alongside anchor test
make use of require!(fund.creator == ctx.accounts.creator.key(), IncorrectSigner)
in the fund_create function.
IncorrectSigner being a custom error under the error_code enum.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.