RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Goal and Deadline Check in withdraw Function

vibhakarvaddi

Summary
The withdraw function allows the creator to withdraw funds at any time, without checking if the fundraising goal has been met or if the deadline has passed.

Vulnerability Details
In the withdraw function:

  • There is no validation to check if the fundraising goal has been met.

  • There is no check to ensure that the deadline has passed before allowing withdrawal.

  • This allows fund creators to withdraw even before the goal is reached or before the deadline expires, which may not align with typical crowdfunding rules.

Impact

  • The fund creator can withdraw contributions before the goal is reached, which may violate the fundraising intent.

  • Users may contribute expecting that funds will only be withdrawn if the goal is met, leading to trust issues.

  • If the deadline hasn’t passed, funds might be withdrawn while users are still trying to contribute.

Tools Used

  • Manual code review

Recommendations
Before allowing withdrawal, add validation checks:

if ctx.accounts.fund.amount_raised < ctx.accounts.fund.goal || ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::WithdrawalNotAllowed.into());
}

This ensures that the creator can only withdraw if:

  1. The fundraising goal is met and

  2. The deadline has passed

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.