RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

`fund.deadline` can be set as very low or from past time

namx05

Summary

The set_deadline function lacks validation to prevent setting deadlines in the past or unreasonably far in the future.

Vulnerability Details

The set_deadline function allows setting deadlines with extremely low or past timestamps, potentially breaking the entire fund contribution mechanism.

Impact

Fund managers could:

  • Set deadlines in the past, immediately terminating fund contributions

  • Create extremely distant future deadlines, potentially breaking fund logic

Tools Used

Manual

Recommendations

Add validation to ensure the deadline is in a reasonable, future time window.

+ if deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
+ return Err(ErrorCode::InvalidDeadline.into());
+ }
+ if deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() + MAX_DEADLINE_DURATION {
+ return Err(ErrorCode::DeadlineTooFar.into());
+ }
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

namx05 Submitter
6 months ago
bube Lead Judge
6 months ago
bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.