Fund's creator can set fund's deadline to a past timestamp
Summary
Fund's creator can set fund's deadline to a time point in the past.
Vulnerability Details
Inside the set_deadline function, the Creator of the Fund is able to set Fund's deadline to a past timestamp, because there is no deadline check.
Impact
By setting fund's deadline to a point in the past, fund's creator can immediately end the contribution campaign for a fund, leaving contributors no chance of getting their contributions back by calling the refund function as they would have no chance to react to the new deadline (set to some past time point). Thus, the fund's creator can scam contributors and not let them get their contributions back, essentially stealing their contributions. Setting the deadline to a past timestamp makes the refund function useless.
Tools Used
Manual Review
Recommendations
Add a check that makes sure that the creator of the fund is not able to set fund's deadline to some past timestamp.
Appeal created
[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function
The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.
[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function
The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.