Summary

The fund_create() function sets fund.deadline = 0 by default and does not enforce a required deadline. The contribute() function only enforces deadlines if deadline != 0. As a result, if the fund creator never calls set_deadline(), contributors can fund the campaign perpetually without cutoff. This breaks intended logic for time-bound campaigns and could lead to unintended fund misuse or security issues.

Vulnerability Details

Code: https://github.com/noob6t5/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L8C1-L24C1

The fund_create() function sets the deadline field to 0 and dealine_set to false by default. The set_deadline() function allows setting a deadline only once. If no deadline is ever set, the fund’s deadline remains at 0.

if fund.deadline != 0 && fund.deadline < current_unix_time {
return Err(ErrorCode::DeadlineReached.into());
}

If deadline == 0, this check is bypassed entirely.

This results in a contributors can deposit funds indefinitely,.

Impact

• In fund_create(), fund.deadline = 0.

• In contribute(), it only reject contributions if fund.deadline < now.

  • If fund.deadline = 0, this condition never triggers.

  • Result: Funds can be contributed forever

• No cutoff mechanism is enforced.

• It may have intended a time-bound campaign, but the system does not enforce that.

• Can lead to abuse, manipulation, or draining of funds long after a campaign’s lifecycle.

  Tools Used

  Manually

Recommendations

• Alternatively, reject fund_create() calls with deadline = 0.

• use Option<u64> for deadline and fail contributions if it is None.