The set_deadline function lacks proper access control
Summary
The set_deadline function lacks proper access control, allowing any user to call it and modify the deadline before the creator sets it.
Vulnerability Details
1.A malicious user interacts with the contract and calls set_deadline().
2.Since no ownership or role-based checks exist, the function executes successfully, changing the deadline value.
3.This results in arbitrary changes to contract behavior.
Impact
Medium because of low likelihood but impact is high.
Tools Used
Manual.
Recommendations
Implement access control to restrict this function to authorized users ie. Creator. Should be the only one to set deadline.
Appeal created
[Invalid] Lack of access control in `set_deadline` function
There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.