RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Typographical Error in `Fund` Struct and Deadline Handling Functions

SashaFlores

Summary

The dealine_set bool member in Fund struct that is written to and read from in fund_create and set_deadline functions has the same typo error. It's misspelled by missing the letter d and should be deadline_set, despite the fact that this error doesn't cause a security vulnerability; it introduces ambiguity and increases the risk of future errors in code upgradeability.

Vulnerability Details

Line 190: the dealine_set bool member in struct Fund has a typo, it should be deadline_set:

pub struct Fund {

#[max_len(200)]

pub name: String,

#[max_len(5000)]

pub description: String,

pub goal: u64,

pub deadline: u64,

pub creator: Pubkey,

pub amount_raised: u64,

pub dealine_set: bool,

}

Line 20: fund.dealine_set = false

pub fn fund_create(ctx: Context<FundCreate>, name: String, description: String, goal: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

fund.name = name;

fund.description = description;

fund.goal = goal;

fund.deadline = 0;

fund.creator = ctx.accounts.creator.key();

fund.amount_raised = 0;

fund.dealine_set = false;

Ok(())

}

Line 57: In set_deadline function, dealine_set typo:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

Ok(())

}

Impact

Code Maintainability: The typo complicates code readability and increases the likelihood of errors if future developers mistakenly introduce a correctly spelled field (deadline_set) alongside the incorrect one (dealine_set) leading to **conflicting logic.
Ambiguity: The misspelling could confuse developers or auditors interpreting the purpose of the field.
No Direct Security Risk: The typo alone doesn't bypass security invariants, as long as the misspelling is consistent.

Tools Used

Manual Code Review

Recommendations

Rename dealine_set to deadline_set in the Fund struct.
Update the set_deadline function to reference to fund.deadline_set.
Fix the fund_create function to reference to fund.deadline_set = false.

If on-chain state already exists with dealine_set, renaming it directly may invalidate existing accounts. To avoid breaking stored data and ensure backward comptability:

#[account]

pub struct Fund {

...

pub deadline_set: bool, // Corrected field

pub _deprecated_dealine_set: bool, // Preserve old field if needed

}

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] Wrong naming of `deadline_set`

This is strong informational finding, there is no impact for the protocol. The variable is the same on all places.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.