RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Contributions Allowed Before Deadline Initialization

lazyrams

Summary

The contribute function does not prevent contributions when no deadline is set (i.e., deadline == 0). This allows funds to be contributed even though the campaign deadline hasn't been established, contrary to the intended logic.

Vulnerability Details

In the contribute function, the check for deadline expiry is implemented as:

if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineReached.into());

}

This condition only evaluates to true if a deadline is set (non-zero). However, if the deadline is not set (deadline == 0), the condition fails, and contributions are allowed. This behavior conflicts with the desired logic where contributions should only be accepted after a valid deadline is established. Utilizing the fund.dealine_set flag would allow the contract to enforce that contributions cannot be made until the deadline is explicitly set.

Impact

Funds may be contributed to campaigns without a proper deadline, leading to potential misuse or mismanagement of funds.

It can result in unpredictable behavior regarding campaign closure, refunds, and fund withdrawals.
This flaw may compromise the overall trust and security of the crowdfunding platform.

Tools Used

Static analysis of contract logic
Manual code review

Recommendations

Modify the contribute function to include a check for the fund.dealine_set flag before allowing contributions. For example:

if !fund.dealine_set {

return Err(ErrorCode::DeadlineNotSet.into());

}

if fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineReached.into());

}

Update the ErrorCode enum to include a new error for unset deadlines (e.g., DeadlineNotSet).
Implement thorough unit testing to verify that contributions are only accepted when a deadline has been explicitly set.

Updates

Appeal created

bube Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

[Invalid] Contributions are allowed before the deadline is initialized.

There is no problem users to contribute to a given campaign before the deadline is initialized. The issue is when the users refund before the deadline is set.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.