Contributors can obtain refunds from successful campaigns, compromising funding integrity
Summary
Contributors can obtain refunds even when a campaign has successfully reached its fundraising goal.
Vulnerability Details
In a traditional crowdfunding model, once a campaign reaches its goal, the funds should be secured for the creator to fulfill their project. The current implementation only checks if the deadline has been reached before allowing refunds, without considering whether the funding goal has been met.
The refund() function in the program implements the logic for processing refund requests from contributors. Currently, it only verifies that:
The deadline has been set (
fund.deadline != 0)The current time has not yet reached the deadline
The relevant code snippet from the refund() function is:
Impact
This means that contributors can withdraw their funds from a successful campaign as long as the deadline hasn't passed, potentially causing a successful campaign to fall below its funding goal after initially reaching it.
Creators cannot trust that their funding is secure even after reaching their goal
Projects may be unable to proceed as planned if critical funding is withdrawn
Contributors might abuse this mechanism to temporarily inflate funding numbers without real commitment
In extreme cases, it could facilitate pump-and-dump schemes where initial contributors artificially inflate a fund's success to attract others, then withdraw their funds
Tools Used
Manual Review
Recommendations
The refund logic should be modified to include a check for whether the funding goal has been met. If the goal has been met, refunds should be denied regardless of the deadline status.
Appeal created
There is no check for goal achievement in `refund` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.