Submission Details
Severity:
Deadline Flag Not Updated. Malicious creator can keep updating deadline to prevent contributor refund
Summary
In the `set_deadline` function, the contract checks `fund.dealine_set` to ensure a deadline has not already been set. However, after successfully setting the deadline, it does not update this flag to `true`. This omission makes the check ineffective, as the deadline can be overwritten multiple times.
Vulnerability Details
pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
Ok(())
}
Impact
Malicious creator can keep updating deadline to prevent contributor refund
Tools Used
N/A
Recommendations
Update the set_deadline function to include:
fund.dealine_set = true;
Updates
Appeal created
bube 3 months ago
Submission Judgement Published Assigned finding tags:
Deadline set flag is not updated in `set_deadline` function
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.