RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Fund Owner Can Repeatedly Update Deadline Due to Unupdated dealine_set Flag

bshyuunn

01. Relevant GitHub Links

https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L55

02. Summary

The set_deadline function allows the fund owner to set the deadline for a fund. Although it checks if the deadline has already been set using the dealine_set flag, this flag is never updated after the deadline is set. As a result, the fund owner can repeatedly update the deadline without restriction.

03. Vulnerability Details

In the set_deadline function, the fund owner sets the fund’s deadline:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

Ok(())

}

The function checks the dealine_set flag to prevent resetting the deadline, but after setting fund.deadline, the dealine_set flag remains unchanged (i.e., it is not set to true). This allows the fund owner to call set_deadline multiple times and update the deadline indefinitely.

04. Impact

The fund owner can continuously modify the deadline, potentially extending the fundraising period or delaying refunds. This undermines the integrity of the fund’s timeline and could confuse or mislead contributors who rely on a fixed deadline.

05. Proof of Concept

Add the following PoC code to rustfund.ts to test the vulnerability:

it.only("dealine_set is always false", async () => {

// 1. create fund

await program.methods

.fundCreate(fundName, description, goal)

.accounts({

fund: fundPDA,

creator: creator.publicKey,

systemProgram: anchor.web3.SystemProgram.programId,

})

.rpc();

// 2. check dealine_set

var fund = await program.account.fund.fetch(fundPDA);

expect(fund.dealineSet).to.equal(false);

console.log("Before dealineSet: ", fund.dealineSet);

// 3. set deadline

await program.methods

.setDeadline(deadline)

.accounts({

fund: fundPDA,

creator: creator.publicKey,

})

.rpc();

// 4. check deadline

fund = await program.account.fund.fetch(fundPDA);

expect(fund.dealineSet).to.equal(false);

console.log("After dealineSet: ", fund.dealineSet);

});

The logs show that dealineSet remains false even after calling setDeadline:

rustfund

Before dealineSet: false

After dealineSet: false

✔ dealine_set is always false (660ms)

06. Tools Used

Manual Code Review and Foundry

07. Recommended Mitigation

Update the dealine_set flag to true after setting the deadline:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

+ fund.dealine_set = true

Ok(())

}

Updates

Appeal created

bube Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.