Lack of input validation creates potential for resource consumption attacks
Summary
The platform lacks proper input validation mechanisms for these parameters, especially regarding the length of string inputs.
Vulnerability Details
The fund_create() function accepts parameters including name and description strings which are stored directly into the fund's data structure without any validation of their contents or length. While the Fund struct does define maximum lengths for these fields using the #[max_len(200)] and #[max_len(5000)] attributes for name and description respectively, there is no explicit validation in the instruction logic that ensures these constraints are respected before allocation.
Impact
This lack of input validation can lead to several issues, including resource consumption attacks, where an attacker submits excessively large inputs that consume disproportionate amounts of computational resources or storage space.
Tools Used
Manual Review
Recommendations
Validate string lengths for name and description to ensure they don't exceed maximum values:
Appeal created
[Invalid] Lack of length validation of `name` and `description` in `fund_create` function
There is a validation for the lengths of `name` and `description` in `fund_create` function: ``` pub struct Fund { #[max_len(200)] pub name: String, #[max_len(5000)] ..... } ``` Anchor will check for the lengths of these parameters and the function will fail if they have more characters than the constraints.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.