RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Requirement Check for Deadline Value `set_deadline` function which could lead to loss of fund

oxdev_

Summary : The set_deadline function does not validate the provided deadline value.

Vulnerability Details: The set_deadline function does not validate the provided deadline value. It allows setting a deadline in the past or to zero, which could lead to immediate closure of the fund or other unintended behaviors.

Impact: - Setting a past deadline could immediately make the fund eligible for refunds or withdrawals, bypassing the intended funding period.

  • Setting a deadline to zero might be interpreted as no deadline, potentially allowing immediate actions depending on the logic.

Recommendations

+ Add validation to ensure the deadline is in the future.
+ let current_time = Clock::get()?.unix_timestamp.try_into().unwrap();if deadline <= current_time { return Err(ErrorCode::InvalidDeadline.into());}
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.