`set_deadline` Instruction Does Not Update the `deadline_set` Flag (Incomplete State Update)
Summary
A flag named dealine_set is supposed to prevent multiple updates to the deadline. However, because it is never updated to true, the campaign creator can keep calling set_deadline indefinitely.
Vulnerability Details
There is a check:
But the code that should set fund.dealine_set = true is missing.
Therefore, the condition never returns an error, letting the attacker repeatedly change the deadline.
Impact Details
Infinite Deadline Extension: The creator can postpone the refund window, never letting sponsors get their money back if the campaign fails.
Breach of Trust: Sponsors rely on a fixed campaign timeframe. Changing it arbitrarily is a major integrity issue.
Tools Used
Manual analysis of the set_deadline function code.
Comparison with the stated business logic in the documentation.
Recommendations
Add the string
fund.dealine_set = trueto the function immediately after setting the deadline.Fix a typo in the field name (for example, in
deadline_set) to avoid further confusion.
Appeal created
Deadline set flag is not updated in `set_deadline` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.