Missing Contribution Amount Update Breaks Refund Functionality
Summary
The contribute function in the rustfund program suffers from a critical accounting flaw where user contribution amounts are not properly tracked. The individual contribution is never incremented in the Contribution Account, resulting in broken refund functionality and potential fund loss.
Vulnerability Details
In the contribute function , a user can send SOL to the fund by calling this function with an amount parameter. The function correctly:
Checks if the deadline has been reached
Initializes a new contribution record if needed
Transfers SOL from the contributor to the fund via system program
Updates the total fund.amount_raised value
However, critically, it fails to update the individual contribution record. i.e user contribution amounts are not properly tracked. The individual contribution is never incremented in the Contribution Account
Impact
Contributors cannot receive proper refunds since their contribution amounts are never recorded. The refund function will always return 0 SOL (which is the initialization value).
All contributed funds become effectively locked or only withdrawable by the fund creator, violating the refund guarantees of the crowdfunding mechanism.
The total amount_raised will not match the sum of individual contributions, creating an inconsistent financial state.
Tools Used
Manual Review
Recommendations
Update Contribution Records: Modify the contribute function to properly update individual contribution records:
Appeal created
Contribution amount is not updated
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.