RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unrestricted contributions even after funding goal is reached

iamthesvn

Summary

The RustFund smart contract allows contributors to continue making contributions even after a project's funding goal has been reached.

Vulnerability Details

The contribute function does not check whether the funding goal has been reached before accepting new contributions:

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
// ... code ...
// Only checks deadline, not goal
if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineReached.into());
}
// ... code ...
fund.amount_raised += amount;
// No check against fund.goal
Ok(())
}

The function only verifies if the deadline has passed (if one is set) but never compares fund.amount_raised against fund.goal to determine if the project is already fully funded. So, the contributors will end up losing the money they contributed over funding.goal as the creator can withdraw all the money/tokens from the campaign.

Impact

Contributors may unknowingly fund projects beyond their stated needs, with no mechanism to protect them.

Tools Used

Manual review

Recommendations

Modify the contribute function to check if the funding goal has been reached:

if fund.amount_raised >= fund.goal {
return Err(ErrorCode::FundingGoalReached.into());
}
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[Invalid] The contributions are allowed even after the campaign's goal is reached

Typically the crowdfunding campaigns allow contribution after the goal is achieved. This is normal, because the goal is the campaign to raise as much as possible funds. Therefore, this is a design choice.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.