Missing deadline and goal check in withdraw function
Summary
The withdraw function: it lacks checks for the funding goal and deadline. This allows creators to withdraw funds prematurely, potentially defrauding contributors.
Vulnerability Details
The withdraw function does not enforce two essential conditions:
The amount raised (amount_raised) must meet or exceed the campaign’s funding goal (
goal).The current time (current_time) must be past the campaign’s deadline (
deadline).
Without these checks, creators can withdraw funds at any time, even if the campaign has not succeeded or the deadline has not been reached
Impact
The absence of these checks introduces a significant security risk:
Rug Pull Potential: Creators can withdraw any contributed SOL at any time, even if the funding goal is unmet or the deadline is still pending, effectively allowing them to "rug pull" contributors.
Loss of Trust: This vulnerability undermines the platform’s trustless design, as contributors cannot rely on the refund mechanism or the integrity of the fundraising process.
Financial Loss: Contributors may lose their SOL contributions without recourse if creators exploit this flaw.
Tools Used
Manual Code Review
Recommendations
To mitigate this vulnerability, the following actions are recommended:
This ensures that withdrawals are only permitted when the campaign has met its goal and the deadline has passed.
Appeal created
No deadline check in `withdraw` function
No goal achievement check in `withdraw` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.