Submission Details
Severity:
Lack of Access Control on Withdrawal Function
Summary
The Withdrawal function has no access control.
Vulnerability Details
The withdraw function does not enforce strict access control, allowing any user to potentially withdraw funds from a campaign.
Impact
Funds could be taken out by unauthorized users.
Tools Used
pub fn withdraw(ctx: Context<Withdraw>, amount: u64) -> ProgramResult {
let campaign = &mut ctx.accounts.campaign;
// No access control check
if campaign.total_amount < amount {
return Err(ProgramError::InsufficientFunds);
}
// External call to transfer funds
invoke(
&system_instruction::transfer(
&campaign.key(),
&ctx.accounts.creator.key,
amount,
),
&[
campaign.to_account_info(),
ctx.accounts.creator.to_account_info(),
ctx.accounts.system_program.to_account_info(),
],
)?;
campaign.total_amount -= amount;
Ok(())
}
Recommendations
The withdraw function should only be called by the campaign creator.
pub fn withdraw(ctx: Context<Withdraw>, amount: u64) -> ProgramResult {
let campaign = &mut ctx.accounts.campaign;
// Access control check
if campaign.creator != *ctx.accounts.creator.key {
return Err(ProgramError::Unauthorized);
}
if campaign.total_amount < amount {
return Err(ProgramError::InsufficientFunds);
}
// External call to transfer funds
invoke(
&system_instruction::transfer(
&campaign.key(),
&ctx.accounts.creator.key,
amount,
),
&[
campaign.to_account_info(),
ctx.accounts.creator.to_account_info(),
ctx.accounts.system_program.to_account_info(),
],
)?;
campaign.total_amount -= amount;
Ok(())
}
Updates
Appeal created
bube 4 months ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
[Invalid] Lack of access control in `withdraw` function
There are enough security checks in `withdraw` function. Anchor enforces that creator must sign the transaction. And the `has_one = creator` ensures that the fund’s creator matches the provided creator account.
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.