RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Validation for Future Deadline Timestamp in set_deadline Function

lazyrams

Summary

The set_deadline function does not check if the provided deadline timestamp is in the future. This omission allows a campaign creator to set a deadline that is already expired, which may lead to unintended campaign behavior.

Vulnerability Details

In the set_deadline function, the deadline is set without validating whether the provided timestamp is greater than the current blockchain time. Without this check, a creator can inadvertently (or maliciously) set a deadline that has already passed. This could cause the campaign to be immediately considered expired, blocking further contributions or triggering refund logic prematurely.

Impact

Campaigns might be initialized with a deadline that is already expired, preventing any contributions.

Contributors may face unexpected behavior as their funds become immediately eligible for refund.
Overall campaign integrity and trust in the platform could be compromised.

Tools Used

Static analysis of contract logic
Manual code review

Recommendations

Modify the set_deadline function to include a check that ensures the new deadline is strictly in the future. For example:

let current_timestamp = Clock::get().unwrap().unix_timestamp.try_into().unwrap();

if deadline <= current_timestamp {

return Err(ErrorCode::InvalidDeadline.into());

}

fund.deadline = deadline;

fund.dealine_set = true;

Update the ErrorCode enum to include a new error variant, such as:

#[msg("Invalid deadline: must be in the future")]
InvalidDeadline,
Implement unit tests to ensure that setting a past or current timestamp as the deadline is properly rejected.

Updates

Appeal created

bube Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.