Missing Contributor Balance Update in `contribute()` function
Summary
The lib.rs::contribute() function fails to update the contributor’s contribution.amount after a contribution is made. This creates a critical inconsistency where the recorded contribution does not match the actual amount sent, potentially not allowing contributors to get refund of their contributions.
https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L50
fund.amount_raised += amount;
//This is missing contribution.amount + = amount
Vulnerability Details
In the FundContribute function, only fund.amount_raised is updated:
However, the contribution.amount field is not updated accordingly. Since refunds rely on this field to determine how much a contributor can get refund, no contrubutor can get the refunds.
Impact
Contributors may be able to get refund of their contribution.
The contract fails to track individual contributions correctly, causing inconsistencies in refund calculations.
Tools Used
Manual Review
Recommendations
Ensure that the contribution.amount is updated alongside fund.amount_raised to reflect the contributor’s actual contribution
This prevents contributors from claiming refunds exceeding their actual contributions.
Appeal created
Contribution amount is not updated
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.