Submission Details
Severity:
Deadline Can Be Modified Repeatedly Due to Logic Error
Summary
The set_deadline function fails to update dealine_set, allowing creators to repeatedly change the deadline.
Vulnerability Details
The dealine_set flag is never set to true after the deadline is initialized, allowing multiple calls to set_deadline.
pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set { // Typo: should be 'deadline_set'
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
// Missing: fund.deadline_set = true;
Ok(())
}
Impact
Creators can extend deadlines indefinitely, preventing contributors from claiming refunds.
Tools Used
Recommendations
-
Fix the typo: rename
dealine_settodeadline_set. -
Update the flag after setting the deadline:
+ fund.deadline_set = true;
Updates
Appeal created
bube 3 months ago
Submission Judgement Published Assigned finding tags:
Deadline set flag is not updated in `set_deadline` function
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.