RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Goal Check in withdraw() Allows Withdrawals even though goals are not met

ashishlach

Summary

The withdraw() function allows the fund creator to withdraw funds without checking whether the fundraising goal has been met or not. This allows withdrawals at any time, even if the target amount has not been reached.

Vulnerability Details

Currently, the function simply transfers all funds to the creator.

However, there is no check to verify if fund.amount_raised >= fund.goal. This means the creator can withdraw funds, even if the fundraising goal has not been met

https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L90

Impact

Fund creator can withdraw and exit without fulfilling the fundraising purpose.

Tools Used

Manual Review

Recommendations

Add a check before allowing withdrawal:

if ctx.accounts.fund.amount_raised < ctx.accounts.fund.goal
{
return Err(ErrorCode::GoalNotReached.into());
}

This ensures that withdrawals are only possible after the goal is reached, maintaining the integrity of the fundraising process.

Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.