Contribution Amounts is not updated in RustFund
Summary
An accounting vulnerability exists in the RustFund program where contribution amounts are not properly tracked at the individual contributor level. While funds are successfully transferred from contributors to the fund account and the global fund.amount_raised is updated, the individual contribution amount is initialized to 0 but never incremented when users make contributions.
Vulnerability Details
In the contribute function, the program correctly transfers SOL from the contributor to the fund account using system_program::transfer and updates the fund.amount_raised variable. However, it fails to update the individual contributor's amount field.
This means that while the total amount raised is tracked correctly at the fund level, individual contribution records remain at 0 regardless of how much a user contributes.
Impact
The refund function relies on contribution.amount to determine how much to refund to contributors. Since this value is always 0, contributors can never receive refunds, effectively locking their funds in the contract permanently.
Tools Used
Manual Review
Recommendations
Modify the contribute function to properly update the individual contribution records:
Appeal created
Contribution amount is not updated
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.