RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Deadline Validation Allows Refunds/Withdrawls at any point of time

ashishlach

Summary

Reject funds contribution if deadline is not set otherwise anyone can set and withdraw refund anytime

This will always be true

https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L70

Vulnerability Details

The contract does not enforce a check to ensure that a deadline is set before allowing contributions and refunds. As a result, funds can be refunded at any time if the deadline remains unset, potentially allowing withdrawals and refunds at any time.

Impact

Contributors can reclaim their funds at any time if the deadline is unset.

Contributors can withdraw their funds at any time if the deadline is unset.

The fundraising goal may never be properly enforced.

Tools Used

Manual review

Recommendations

Reject funds contribution if deadline is not set otherwise anyone can set and withdraw refund anytime. Update this code in lib.rs::contribute()function

- if fund.deadline != 0
+ if fund.deadline == 0 || fund.deadline != 0
&& fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap()
{
return Err(ErrorCode::DeadlineReached.into());
}
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.