RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Deadline Check in withdraw() Allows Premature Withdrawals

ashishlach

Summary

he withdraw() function allows the fund creator to withdraw funds at any time, without verifying if the deadline has passed. This enables early withdrawals, potentially before contributors

Vulnerability Details

Currently, the withdraw() function executes without checking if the deadline has expired

There is no check to ensure that the current timestamp has surpassed the deadline (fund.deadline).

Impact

Funds can be withdrawn early, undermining the crowdfunding mechanism.

Contributors' expectations are violated, as funds may be withdrawn before they anticipate.

Potential misuse, where the creator withdraws funds before the campaign officially ends.

Tools Used

Manual Review

Recommendations

Before executing the withdrawal, add a deadline check:

let deadline = ctx.accounts.fund.deadline;
if deadline ==0 || deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}

This ensures that withdrawals only happen after the fundraising deadline, preserving fairness in fund management.

Updates

Appeal created

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!