RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

No Zero Check

oxdev_

Summary No Zero Check for Goal in fund_create function, Which Could Allow Creators to Set Zero Goals

Vulnerability Details: In the fund_create function, there is no validation to ensure the goal is greater than zero. This oversight allows creators to set a funding goal of zero, which is likely not the intended behavior for a crowdfunding platform.

  1. A creator calls fund_create with goal = 0.

  2. The fund is created with goal = 0.

  3. Any contribution, even zero, would technically meet the goal, allowing the creator to withdraw funds immediately if no other checks are in place.

Impact : - Setting a goal of zero could lead to funds being considered "successful" immediately, as any contribution (including zero) would meet or exceed the goal.

  • This could confuse contributors who expect a meaningful funding target.

  • It might enable potential exploitation where creators could withdraw funds without meeting a legitimate goal.

Tools Used: anchor test, Manual code review

Recommendations

+ Add a check in fund_create to ensure goal > 0.
+ if goal == 0 { return Err(ErrorCode::InvalidGoal.into());}
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No minimal amount for the `goal` in `fund_create` is greater than 0

If the `goal` is 0, the campaign goal is achieved immediately and the creator can withdraw the contributors funds. The contributors select themself which campaign to support, therefore I think Low severity is appropriate here.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.