RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

max lengths should be cheked for name and description

ashishlach

Summary

Although the Account definition includes a maximum length limit, there is no validation when storing values in the fund account variables.

https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L182

https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L14

Vulnerability Details

lib.rs::fund_createdoes't have proper validation on inputs for these 2 variables - name and description

Impact

Without proper validation, data stored in the fund account may be truncated or cause unintended reverts, leading to inconsistencies and potential failures in fund creation

Tools Used

Manual review

Recommendations

Check for lengths in lib.rs::fund_createfunction

if name.len() > 200 || description.len() > 5000 {
return Err(ErrorCode::InvalidStringLength.into());
}
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[Invalid] Lack of length validation of `name` and `description` in `fund_create` function

There is a validation for the lengths of `name` and `description` in `fund_create` function: ``` pub struct Fund { #[max_len(200)] pub name: String, #[max_len(5000)] ..... } ``` Anchor will check for the lengths of these parameters and the function will fail if they have more characters than the constraints.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.