RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Minimum Deadline Validation

heim

Summary

The contract allows deadlines to be set in the past, which can immediately make funds expired.

Vulnerability Details

The set_deadline function accepts any deadline value without validating that it's in the future, allowing fund creators to set deadlines that have already passed.

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline; // No validation that deadline > current time
Ok(())
}

Impact

Setting deadlines in the past can create funds that are immediately expired, preventing contributors from participating and potentially allowing the creator to withdraw funds immediately

POC

Add to tests/rustfund.ts:

//audit MEDIUM - No Minimum Deadline Validation
it("Can set deadline in the past", async () => {
const pastFundName = "Past Deadline Fund";
const [pastFundPDA] = await PublicKey.findProgramAddress(
[Buffer.from(pastFundName), creator.publicKey.toBuffer()],
program.programId
);
await program.methods
.fundCreate(pastFundName, description, goal)
.accounts({
fund: pastFundPDA,
creator: creator.publicKey,
systemProgram: anchor.web3.SystemProgram.programId,
})
.rpc();
const pastDeadline = new anchor.BN(Math.floor(Date.now() / 1000) - 1000); // 1000 seconds in the past
await program.methods
.setDeadline(pastDeadline)
.accounts({
fund: pastFundPDA,
creator: creator.publicKey,
})
.rpc();
const fund = await program.account.fund.fetch(pastFundPDA);
const currentTime = Math.floor(Date.now() / 1000);
console.log(`Set deadline to ${fund.deadline.toString()} which is ${currentTime - fund.deadline.toNumber()} seconds in the past`);
});
```
Output:
```javascript
========================================
🐛 BUG REPORT [MEDIUM]: No Minimum Deadline Validation
----------------------------------------
Description: The program allows setting deadlines in the past, potentially making funds immediately expired
Evidence: Set deadline to 1742918884 which is 1000 seconds in the past. Current time: 1742919884
========================================
```
## Tools Used
- Anchor framework for testing
- Manual code review
## Recommendations
```diff
pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
// Validate deadline is in the future
+ let current_time: u64 = Clock::get().unwrap().unix_timestamp.try_into().unwrap();
+ if deadline <= current_time {
+ return Err(ErrorCode::InvalidDeadline.into());
}
fund.deadline = deadline;
fund.dealine_set = true;
Ok(())
}
```
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.