RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Deadline Flag Not Set in set_deadline Function

monteago30

Summary

The set_deadline function sets the deadline timestamp but fails to update the dealine_set flag, allowing the deadline to be changed multiple times.

Vulnerability Details

In the set_deadline function, there's a check to verify if the deadline has already been set using the dealine_set flag:

if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}

However, after setting the deadline value, the function doesn't update the dealine_set flag to true. This oversight means that despite the check, the deadline can be changed multiple times as the flag never gets updated.

// The flag is checked but never updated to true
fund.deadline = deadline;
// Missing: fund.dealine_set = true;

Impact

This vulnerability allows the creator of a fund to manipulate the deadline multiple times, which breaks the trustless nature of the platform. A malicious creator could:

  1. Set a far-off deadline to attract contributions

  2. Once sufficient funds are collected, change the deadline to a past date

  3. Withdraw all funds immediately, bypassing any time commitments made to contributors

This severely undermines trust in the platform and could lead to fraudulent behavior.

Tools Used

Manual code review

Recommendations

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
fund.dealine_set = true; // Add this line to update the flag
Ok(())
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.