01. Relevant GitHub Links

• https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L69C1-L72C1

02. Summary

The refund function in the RustFund contract has a flaw in its deadline check. If the deadline is not set (i.e., remains 0), users can trigger refunds at any time, bypassing the intended restriction that refunds should only occur after the deadline passes and goals are unmet.

03. Vulnerability Details

The refund function allows contributors to request a refund if the fund’s goals are not met after the deadline. According to the documentation, refunds should only be possible when the deadline has passed and goals are unmet. However, the deadline check is flawed:

If ctx.accounts.fund.deadline is 0 (the default value when a fund is created), the condition is skipped entirely, allowing refunds even when no deadline has been set. This means contributors can withdraw their contributions immediately after contributing, regardless of the fund’s state.

04. Impact

This vulnerability allows contributors to bypass the intended refund restrictions, potentially disrupting the fund’s operation. Funds could be drained prematurely, undermining the creator’s ability to reach the goal. While the impact is limited to contributed amounts and does not affect the entire contract, it can still lead to significant loss of trust and functionality in the funding process.

05. Tools Used

Manual Code Review and Foundry

06. Recommended Mitigation