RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Absence of validation for the creator's address in the set_deadline function.

eth0x

Summary

The function handles setting a deadline for a specific fund account.

Vulnerability Details

There is no validation for the address attempting to set the deadline for a specific fund.

Impact

Anyone can modify the deadline: This could result in malicious users or unintended participants setting an arbitrary deadline, which might disrupt the fund's operations or goals.

Tools Used

manual review

Recommendations

Please add valiation for set_dedline

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
// Validate that the signer is the fund's owner
if ctx.accounts.signer.key() != fund.owner {
return Err(ErrorCode::Unauthorized.into());
}
// Check if the deadline has already been set
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
// Set the deadline
fund.deadline = deadline;
fund.dealine_set = true;
Ok(())
}
Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[Invalid] Lack of access control in `set_deadline` function

There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.