RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

set_deadline Can Be Called Multiple Times

willubedaone

Summary

The set_deadline function is intended to be called only once per campaign, as stated in the documentation:

"Creators can set campaign deadlines."

However, due to a logic error, the function allows multiple calls to change the deadline, contradicting the expected behavior.

Vulnerability Details

  • The function is supposed to check if the deadline has already been set using fund.dealine_set, but due to a spelling mistake (dealine_set instead of deadline_set), this check is never enforced.

  • As a result, a creator can call set_deadline multiple times and arbitrarily extend or change the deadline.

Proof of Concept

  • A creator initializes a fundraising campaign and sets a deadline of April 1, 2025.

  • As the deadline approaches, they call set_deadline again and push it to June 1, 2025.

  • They continue doing this indefinitely, preventing contributors from claiming refunds.

The Impact Code

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set { // Typo in variable name, check is ineffective
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
Ok(())
}

Impact

  • Creators can extend deadlines indefinitely, preventing contributors from reclaiming their funds.

  • This directly violates the one-time deadline-setting rule expected in the documentation.

  • Can be abused to delay refund eligibility for contributors indefinitely.

Tools Used

Manual code review

Recommendations

Fix the typo: Change dealine_set to deadline_set

Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.