RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Deadline and Goal Checks in `withdraw` Function

abduo_ov

Description

The withdraw function allows the creator to withdraw funds without verifying:

  1. If the campaign deadline has passed.

  2. If the fundraising goal (amount_raised >= goal) has been met.

This enables the creator to drain funds prematurely, even if the campaign failed or is ongoing.

Impact

  • Fund Theft: The creator can withdraw funds before the deadline or before the goal is met, violating the protocol’s rules.

  • Loss of Trust: Contributors lose confidence in the platform, as funds are not safeguarded by basic campaign logic.

Affected Code

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
// Missing checks for deadline and goal!
// Creator can withdraw at any time.
}

Recommendation

Add explicit checks for the deadline and goal:

// Ensure deadline has passed
let current_time = Clock::get()?.unix_timestamp.try_into().unwrap();
require!(fund.deadline < current_time, ErrorCode::DeadlineNotReached);
// Ensure goal is met
require!(fund.amount_raised >= fund.goal, ErrorCode::GoalNotMet);

  1. Add Missing Error Variant:

    #[error_code]
    pub enum ErrorCode {
    // ...
    #[msg("Campaign goal not met")]
    GoalNotMet,
    }
Updates

Appeal created

bube Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.