RustFund

Summary

The contract relies solely on a combination of the fund name and the creator's public key to generate a Program Derived Address (PDA) without enforcing uniqueness on the fund name. This could allow users to create multiple funds with the same name, leading to potential collisions and unintended behavior.

Vulnerability Details

• The PDA for each fund is derived using [name.as_bytes(), creator.key().as_ref()], meaning two funds with the same name from the same creator will generate the same PDA.

• There is no mechanism in place to ensure that fund names are unique before initializing a new fund.

• If a user creates multiple funds with the same name, it could result in overwritten state or ambiguity in fund retrieval.

Impact

• Users might unintentionally or maliciously create duplicate funds, leading to loss of data integrity.

• The contract could fail to distinguish between multiple funds created by the same user with the same name.

• Users may exploit this to confuse contributors or manipulate fundraising efforts.

Recommendations

• Implement a check in fund_create to ensure that the name has not been used before.

• Consider using a unique identifier appended to the fund name (e.g., timestamp, random nonce).