RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing flag update in `set_deadline` allows multiple deadline changes

teoslaf

Description

The rustfund::set_deadline function contains a logic error where it checks if a deadline has already been set using the dealine_set flag, but fails to update this flag after setting a new deadline. This creates a discrepancy between the intended behavior (allowing a deadline to be set only once) and the actual implementation (allowing multiple deadline changes).

Proof of Concept

Fund creator calls rustfund::set_deadline to set a deadline for the first time
The function checks if fund.dealine_set is true (it's false by default)
The deadline is updated, but fund.dealine_set remains false
Fund creator can call rustfund::set_deadline again to change the deadline
This cycle can repeat indefinitely, allowing the creator to manipulate the deadline

// Current implementation

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

Ok(())

}

This issue undermines the trust in the crowdfunding system, as fund creators can extend deadlines indefinitely to prevent refunds or shorten deadlines unexpectedly to prevent further contributions.

Recommendation

Update the flag after setting the deadline

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

+ fund.dealine_set = true;

Ok(())

}

This approach eliminates the need for a separate flag altogether, simplifying the code.

Updates

Appeal created

bube Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.