RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Unauthorized Access to set_deadline Function Allows Arbitrary Deadline Manipulation

rare__one

Summary

The set_deadline function in lib.rs is publicly accessible which should only be accessible to the creator, allowing any user to set the deadline for a fund. This lack of access control enables malicious users to set arbitrary deadlines, making the creator not to be able to set the deadline again after the malicious user has set the deadline. For example, a malicious user could set a deadline in the past to immediately make the fund inactive or set a deadline too far in the future to delay the fund's completion indefinitely.

Vulnerability Details

The set_deadline function is declared as public and does not enforce any access control to restrict its usage to the fund's creator. The function accepts a deadline parameter and updates the deadline field of the fund account without validating the caller's identity.

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

Ok(())

}

Impact

Fund Inactivity:
A malicious user could set a deadline in the past, making the fund immediately inactive and preventing further contributions.
Delayed Fund Completion:
A malicious user could set a deadline too far in the future, delaying the fund's completion indefinitely and locking up contributors' funds.

Tools Used

Manual code review.

Recommendations

Ensure that only the fund's creator can call the set_deadline function by adding an access control check

Add validation to ensure the deadline is not in the past

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

// Ensure only the creator can set the deadline

if ctx.accounts.creator.key() != fund.creator {

return Err(ErrorCode::UnauthorizedAccess.into());

}

// Ensure the deadline is in the future

if deadline <= Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::InvalidDeadline.into());

}

// Ensure the deadline is not already set

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

fund.dealine_set = true;

Ok(())

}

Updates

Appeal created

bube Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[Invalid] Lack of access control in `set_deadline` function

There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.