Creator of Fund account check on set_deadline fn
Summary
Insufficient check on the creator check in the set_deadline function
Vulnerability Details
When creating the deadline in the set_deadline function, only the creator should be able to make that change. Even if the has_one constraint restricts non-signers from carrying out tx, there is no guarantee that another keypair that acts as a signer will not be passed into the instruction.
Impact
If the check is not set to properly verify the creator initialized in the Fund account, an unauthorized signer can control or make changes to the deadline time.
Tools Used
Manual review, trident
Recommendations
verify the creator address under Fund account
Appeal created
[Invalid] Lack of access control in `set_deadline` function
There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.