RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing deadline enforcement allows indefinite fund collection

iamthesvn

Summary

The RustFund contract allows campaign creators to accept contributions indefinitely by not enforcing deadline setting. This creates a scenario where campaigns can run forever, with creators able to withdraw funds at any time, undermining the fundamental trust model of crowdfunding.

Vulnerability Details

The vulnerability stems from three interrelated issues in the codebase:

In the fund_create function, the deadline is initialized to 0 and dealine_set to false:

fund.deadline = 0;
fund.dealine_set = false;

The contribute function only blocks contributions when both conditions are met:

if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineReached.into());
}

This means if deadline is 0 (not set), contributions are always allowed.

Impact

Malicious actors could create perpetual campaigns to continuously siphon funds

Tools Used

Manual review

Recommendations

Consider implementing a default minimum campaign duration (something bigger than 0 and not very low either) to prevent indefinitely long campaigns.

Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Contributions are allowed before the deadline is initialized.

There is no problem users to contribute to a given campaign before the deadline is initialized. The issue is when the users refund before the deadline is set.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.