RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Refund Vulnerability Allowing Premature Refunds

kweks

Summary

This report addresses a vulnerability in the refund function where refunds are processed even if the campaign deadline has not been set (i.e., when deadline = 0). This flaw violates the protocol's rules, which allow refunds only after a campaign has definitively failed (i.e., after the deadline has passed and the funding goal remains unmet). As a result, the vulnerability disrupts the campaign lifecycle and may be exploited to undermine fundraising efforts and erode contributor trust.

Vulnerability Details

Affected Function: refund

Code Snippet:

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {
// ❌ Missing check: Ensure deadline is set (deadline != 0)
if ctx.accounts.fund.deadline != 0
&& ctx.accounts.fund.deadline > current_time {
return Err(ErrorCode::DeadlineNotReached.into());
}
// Processes refund even if deadline is unset (0)
}

Issue:

  • The function does not verify that a deadline has been set (i.e., deadline != 0).

  • As a result, refunds are allowed even during the active fundraising phase, bypassing the intended campaign lifecycle rules that restrict refunds to only after the campaign has failed.

Impact

Protocol Rules Bypassed

  • Campaign Lifecycle Disruption: By processing refunds when the deadline is unset, the campaign lifecycle is invalidated. Contributors could withdraw funds at any time, which prevents the campaign creator from achieving the funding goal.

  • Erosion of Trust: Contributors expect refunds only if a campaign has formally failed (deadline reached and goal unmet). Allowing premature refunds undermines this expectation and can damage the platform’s credibility.

Severity Scenarios

  • Immediate Fund Drain: If a creator forgets to set a deadline, contributors can immediately refund their pledges, leaving the campaign with no funds.

    • Malicious Exploitation: Attackers may target campaigns with an unset deadline, repeatedly donating and refunding to sabotage the fundraising process.

  • Even when a deadline is set far in the future or not properly marked (possibly due to related issues like a typo in the dealine_set field), contributors might exploit the loophole to access refunds prematurely.

Tools Used

  • Manual Review

Recommendations

Fix Code Logic

  • Ensure Deadline Check: Update the refund function to verify that the deadline has been set and that the current time has passed the deadline before processing a refund.

    Updated Code:

    pub fn refund(ctx: Context<FundRefund>) -> Result<()> {
    let fund = &ctx.accounts.fund;
    // Ensure deadline is set and has passed
    require!(fund.deadline != 0, ErrorCode::DeadlineNotSet);
    require!(
    Clock::get()?.unix_timestamp as u64 >= fund.deadline,
    ErrorCode::DeadlineNotReached
    );
    // Ensure goal is not met
    require!(fund.amount_raised < fund.goal, ErrorCode::GoalMet);
    // Proceed with refund...
    }

Add Specific Error Codes

  • Define DeadlineNotSet Error Code: Include an error message that indicates a refund attempt on a campaign with no set deadline.

    Error Code Example:

    #[error_code]
    pub enum ErrorCode {
    // ...
    #[msg("Deadline not set for this campaign")]
    DeadlineNotSet,
    }

Implementing these recommendations ensures that refunds are only processed when appropriate—after the deadline is explicitly set and reached—thus preserving the integrity of the campaign process and maintaining contributor trust.

Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Possible refund before the deadline is initialized

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.