RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`Rustfund::withdraw` does not properly check if the deadline (if set) or goal already passed

farismaulana

Summary

there are no validation if the goal already reached for creator corresponding campaign. or if the deadline already passed if the creator set one.

so malicious creator can just call withdrawto withdraw the fund raised without waiting for the goal to reach or deadline passes.

Vulnerability Details

lib.rs#L90-L105

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.creator.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
Ok(())
}

as we can see in the snippet above. there are no validation if the goal/deadline already passed.

this make the withdrawhave no constraint and can be called to get the fund raised prematurely

Impact

core function broken as the withdraw can be called anytime to collect the fund by creator

contributor potentially lose funds because they hope the fund only collected when certain goal are met, and ready to call refund if the goal are not reached.

Tools Used

manual review

Recommendations

withdraw should check if the goal already passed or deadline already reached.

so creator cant just take the funds. and contributor can call refund if the goal are not passed.

Updates

Appeal created

bube Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.