RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing Deadline Validation in set_deadline Function

vibhakarvaddi

Summary
The set_deadline function does not validate whether the provided deadline is in the future, allowing users to set an invalid past deadline.

Vulnerability Details
In the set_deadline function:

  • The function only checks if the deadline has already been set (dealine_set).

  • There is no validation to ensure that the provided deadline is greater than the current time.

Impact

  • A user may set a past deadline, making the fund immediately expired and preventing further contributions.

  • This could lead to funds being locked or causing unexpected behavior in the refund process.

Tools Used

  • Manual code review

Recommendations
Before setting the deadline, add a validation check:

if deadline <= Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::InvalidDeadline.into());
}

This ensures that only future deadlines are allowed.

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.