Summary

A crowdfund campaign deadline can be changed multiple times, contrary to the intended design of being set only once. This occurs because the fund.deadline_set flag is not updated to true after the deadline is initially set, allowing repeated modifications.

Vulnerability Details

The deadline (fund.deadline) is intended to be immutable once set by the creator. The logic includes a check:

This condition should prevent multiple deadline changes by returning an error if fund.deadline_set is true. However, the flag fund.deadline_set is never updated to true after the initial deadline is assigned with fund.deadline = deadline. As a result, the check is always evaluated as false, permitting the creator to modify the deadline repeatedly.

Impact

This vulnerability undermines the integrity and predictability of RustFund

• Contributor Trust: Contributors rely on fixed deadlines to assess campaign legitimacy and request refunds if goals aren’t met by the deadline. Multiple changes could confuse or mislead them.

• Campaign Manipulation: Creators could extend deadlines indefinitely to avoid refund obligations, eroding the trustless nature of the platform.

• Refund Mechanism Failure: Unstable deadlines may disrupt the refund process, as contributors depend on a clear cutoff to reclaim funds when campaigns fail.

Tools Used

Manual Code Review

Recommendations

To resolve this vulnerability, update the code to ensure the fund.deadline_set flag is set to true immediately after the deadline is assigned. The corrected sequence should look like this: