Summary

In the set_deadline function, the deadline can be set if fund.deadline_set is false. However, since fund.deadline_set is not updated to true after setting the deadline, the creator can modify it multiple times. If allowing multiple changes is intended, the condition check is unnecessary.

Vulnerability Details

In the set_deadline function, you are checking whether the deadline has already been set or not. If fund.deadline_set is false, then the deadline can be set. However, once the deadline has been set, you are not updating fund.deadline_set to true, which allows the creator to change or extend the deadline multiple times whenever they want. And if you want the creator to be able to change the deadline multiple times, then there is no need to check the condition.

Impact

The current implementation allows the creator to extend the deadline as many times as they want. This means they can keep delaying the refund process indefinitely, which creates a serious risk for contributors. Since there is no restriction on how often the deadline can be changed, the creator could take advantage of this loophole to avoid refunding money, potentially scamming contributors.

Tools Used

Solana Explorer
Vs Code

Recommendations

Set fund.deadline_set to true Immediately after the deadline is set. This way, once the creator sets the deadline, fund.deadline_set will be true, preventing any further changes to the deadline. This ensures that the creator cannot extend the deadline, effectively preventing potential scams and protecting contributors.