RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Deadlines can be changed indefinetly.

vgcodes

Summary

set_deadline function is used by the owner to set the deadline of a fund after creation, this will serve as the ONLY method to determine if the fund is over or not.In Fund struct there are two instances which allowes the tracking of the deadline, which is deadline_set (boolean) and deadline which is the actual value of the deadline, the set_deadline function is implemented as follows

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
Ok(())
}

Vulnerability Details

here, if the fund.deadline is true then this would return with the error Err(ErrorCode::DeadlineAlreadySet.into()) .But even if the deadline is set, the dealine_set boolean is not set to true, meaning that it will be possible to call this function even after setting the dealine.

Impact

Deadline can be changed again and again.

Tools Used

Manual analysis

Mitigation

adding the following line in the set_deadline function

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
+ fund.dealine_set = true;
fund.deadline = deadline;
Ok(())
}
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.