Anyone can set the deadline for the fund
Summary
Lack of access control on the set_deadline function allows anyone to set the deadline for the fund.
Vulnerability Details
Anyone is able to call set_deadline and set deadline to the value of his choice:
Impact
I am considering the impacts in the case where the deadline can be set just once as it is supposed to be when we take into account this line of code: return Err(ErrorCode::DeadlineAlreadySet.into()
These impacts will not happen with the current implementation since the creator will be able to call set_deadline again to reset the deadline, issue that I reported seperatly.
Refund might never occur since
deadlinecan be set to thousands of years from nowContribution can be too short since
deadlinecan be set to a certain value slightly> Clock::get().unwrap().unix_timestamp.try_into().unwrap()Contribution might never occur since
deadlinecan be set to a certain value< Clock::get().unwrap().unix_timestamp.try_into().unwrap()
Tools Used
Manual review
Recommendations
Add access control for the set_deadline function
Appeal created
[Invalid] Lack of access control in `set_deadline` function
There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.