Incorrect Logic in set_deadline() Allows multiple updates on deadline variable
Summary
The set_deadline() function checks whether fund.dealine_set is true before allowing the deadline to be updated. However, it fails to update fund.dealine_set after setting the deadline, allowing multiple calls to update the deadline indefinitely.
Vulnerability Details
The function checks if dealine_set is already true, but it does not mark it as true after setting the deadline:
Since fund.dealine_set is never updated, users can repeatedly call set_deadline(), modifying the deadline at any time, even after contributions have been made. This can be exploited by the fund creator to adjust deadlines strategically and manipulate withdrawals.
Impact
Fund creators can repeatedly update the deadline, allowing them to withdraw funds at their convenience.
Users may be misled about the deadline, as it can change arbitrarily.
Fundraising integrity is compromised, making deadlines meaningless.
Tools Used
Manual review
Recommendations
Update fund.dealine_set to true after setting the deadline to enforce one-time modification. This ensures that once a deadline is set, it cannot be changed, maintaining fundraising integrity.
Appeal created
Deadline set flag is not updated in `set_deadline` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.