RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Lack of certain checks leads to time manipulation in set_deadline function

simranjitsinghss

Summary:

Hi,

I have found out potential bug in with the lack of certain checks leads to time manipulation in set_deadline function.

Vulnerability Details:

The main details of the potential vulnerability are given as follows:

set_deadline doesn't update the dealine_set flag to true after setting the deadline. Allowing the creator to repeatedly set new deadlines, potentially extending the campaign indefinitely.

Also, this function does not validate that the provided deadline is in the future. Setting a deadline in the past would immediately prevent contributions and allow refunds, which could be used maliciously or accidentally to disrupt the campaign.

Impact:

  • Contributors may get misled about campaign's timeline.

  • Campaigns could be prematurely terminated, undermining trust in the platform.

Tools Used:

Manual review

Recommendations:

  • set fund.dealine_set = true after setting the deadline.

  • Add a check to ensure the deadline is greater than the current timestamp.

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
// Validate deadline is in the future
let current_timestamp: u64 = Clock::get().unwrap().unix_timestamp.try_into().unwrap();
if deadline <= current_timestamp {
return Err(ErrorCode::InvalidDeadline.into());
}
fund.deadline = deadline;
// Set the flag to true
fund.dealine_set = true;
Ok(())
}
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.