RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

The `Clock::get().unwrap()` call in the contribute function can cause a panic if the Solana runtime fails to provide the Clock sysvar.

2ace

Summary

The Clock::get().unwrap() call in the contribute function can cause a panic if the Solana runtime fails to provide the Clock sysvar. This results in the entire transaction failing, leading to a Denial-of-Service (DoS) risk for users trying to interact with the contract.

Vulnerability Details

1.The Solana runtime fails to provide the Clock sysvar, Clock::get().unwrap() returns an Err.

2.Since .unwrap() forces the program to panic on Err, execution is halted, and the transaction fails.

3.This leads to failed contributions, blocking fundraising operations

Impact

Medium

Tools Used

Manual

Recommendations

Replace .unwrap() with proper error handling using map_err() to return a controlled error instead of panicking:

if fund.deadline != 0 {
let clock = Clock::get().map_err(|_| ErrorCode::ClockSysvarError)?; // Handle error safely
if fund.deadline < clock.unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineReached.into());
}
}
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Incorrect error handling for timestamp

It is very unlikely `Clock::get` to fail, therefore I think it is safe to use `unwrap` here. Consider this issue as informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.