RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The Initializing if condition in the `contribute` function doesn't add the amount, rather it sets it zero ,which leads to miscalculation of user's contribution amount in the record

fairytales

Summary

There is a if condition in contribute instruction which checks if the contributor field in the contribution account supplied is a zero account/default, if so it initialises it with pubkey of the contributor, fund account pubkey and amount which is zero.

Vulnerability Details

The amount field of contribution account is being set to zero during initialisation , rather than setting the field with the user supplied amount parameter. This is wrong, since it should be updated using the amount parameter. It getting set to zero will cause loss to the user incase of a refund.

Impact

Incase if user requests a refund , this will be a loss to the user, since the amount will be 0,which is unfair.

Recommendations

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
...
if contribution.contributor == Pubkey::default() {
contribution.contributor = ctx.accounts.contributor.key();
contribution.fund = fund.key();
- contribution.amount = 0;
+ contribution.amount = amount;
}
...
}
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Contribution amount is not updated

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.