Missing Goal Validation Allows Premature Fund Withdrawal
Summary
The rustfund program lacks a proper validation check in the withdraw function that would ensure the funding goal has been met before allowing the creator to withdraw funds. This oversight violates the standard "all-or-nothing" principle of crowdfunding platforms and creates a significant risk of creator fraud by allowing premature access to contributed funds regardless of campaign success.
Vulnerability Details
The withdraw function allows the fund creator to withdraw all funds raised in the campaign without verifying that the funding goal has been met.
The docs in the readme.md says "Creators can withdraw funds once their campaign succeeds" meaning they should only be able to withdraw only when the goal is met. However, the current implementation has no such check.
This allows that fund creators to withdraw all contributed funds immediately, regardless of whether they have reached their funding goal or not. Additionally, the contract also lacks a check to ensure that the withdrawal occurs after the deadline has passed.
Impact
Contributors lose the protection of only funding successful campaigns, as creators can withdraw funds regardless of campaign success.
Tools Used
Manual Review
Recommendations
Add goal validation before allowing withdrawals
Add deadline validation to ensure the campaign has ended
Appeal created
No deadline check in `withdraw` function
No goal achievement check in `withdraw` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.