RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Deadline Flag Never Set

heim

Summary

The contract checks for a flag that prevents setting multiple deadlines, but it never actually sets this flag.

Vulnerability Details

In the set_deadline function, the contract checks the dealine_set flag to prevent setting the deadline multiple times, but after setting the deadline, it never updates this flag to true. This means the check is ineffective, and deadlines can be changed multiple times.

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

// Missing: fund.dealine_set = true;

Ok(())

}

Impact

Fund creators can change the deadline multiple times, creating confusion for contributors and potentially manipulating the funding timeline

POC

//audit MEDIUM - Deadline Never Marked as Set

it("Can set multiple deadlines despite check", async () => {

const firstDeadline = new anchor.BN(Math.floor(Date.now() / 1000) + 100);

await program.methods

.setDeadline(firstDeadline)

.accounts({

fund: fundPDA,

creator: creator.publicKey,

})

.rpc();

const secondDeadline = new anchor.BN(Math.floor(Date.now() / 1000) + 200);

await program.methods

.setDeadline(secondDeadline)

.accounts({

fund: fundPDA,

creator: creator.publicKey,

})

.rpc();

const fund = await program.account.fund.fetch(fundPDA);

console.log(`Set deadline twice. New deadline: ${fund.deadline.toString()}`);

});

Output:

========================================

🐛 BUG REPORT [MEDIUM]: Deadline Flag Never Set

----------------------------------------

Description: The dealine_set flag is checked but never set to true after setting a deadline

Evidence: Successfully set deadline multiple times. New deadline: 1742920083

========================================

Tools Used

Anchor framework for testing
Manual code review

Recommendations

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

+ fund.dealine_set = true; // Add this line

Ok(())

}

Updates

Appeal created

bube Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.