Race Condition in Refunds (Double Refund Attack)
Summary
The refund()function allows contributors to execute multiple refund transactions in parallel before the state updates, resulting in double or multiple withdrawals of the same funds.
Vulnerability Details
1. The function transfers SOL before updating the contribution state.
2. Parallel execution in Solana allows multiple transactions to pass the refund check before contribution.amount = 0; is set.
Impact
I believe there are 2 impacts of this bug:
1. A malicious contributor can withdraw more than their original contribution.
2. The contract fund can be drained because refunds do not correctly track and update contributions before transfer.
Tools Used
Manual Review
Anchor Testing Framework
POC
Steps to Exploit
-
User A contributes 5 SOL to a crowdfunding campaign.
-
User A rapidly submits multiple
refund()transactions in parallel before the contract state updates. -
Since state updates happen after the fund transfer, multiple refund transactions pass, allowing the contributor to withdraw more than their original contribution.
-
Result:
Expected refund: 5 SOL
Actual refund due to race condition: 15 SOL (3x 5 SOL in parallel transactions)
The contract fund is drained unexpectedly.
Code issue in refund():
Recommendation:
Perform state Update before transferring SOL to prevent multiple refund transaction scenarios.
Like here:
Appeal created
[Invalid] Reentrancy in refund
The reentrancy risk on Solana is highly eliminated. The `try_borrow_mut_lamports` ensures that only one reference to an account exists at a time. Also, once the fund’s lamports are borrowed mutably, no other transaction can modify them until the borrow is released. This means the function will reset the `amount` before the next call.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.