RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

The set_deadline function does not set the dealine_set flag to true

0xWithdrawers

The set_deadline() function in the rustfund program contains a vulnerability that allows campaign creators to manipulate deadlines indefinitely. While the function correctly checks if fund.dealine_set is true before allowing the deadline to be changed, it never sets this flag to true after setting the deadline.

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

Ok(())

}

The function is missing a crucial line to update the flag: fund.dealine_set = true;

This oversight bypasses a key safeguard intended to prevent creators from manipulating deadlines after they've been set. According to the project documentation, this flag is meant to enforce deadline immutability, which is an essential part of the platform's trust model.

Impact

Refund evasion: Creators can prevent users from obtaining refunds by continually extending the deadline whenever it approaches. This directly undermines the project's advertised "Refund Mechanism" which promises that "Contributors can get refunds if deadlines are reached and goals aren't met."
Fund locking: Contributors' funds can be effectively locked indefinitely, as the refund function is contingent upon the deadline being reached:

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}

Proof of Concept (PoC)

The following test demonstrates how a creator can set the deadline multiple times, effectively bypassing the intended deadline immutability:

import * as anchor from "@coral-xyz/anchor";

import { Program } from "@coral-xyz/anchor";

import { Rustfund } from "../target/types/rustfund";

import { assert } from "chai";

describe("VULN-02: set_deadline vulnerability", () => {

// Configures the provider to use the local cluster

const provider = anchor.AnchorProvider.env();

anchor.setProvider(provider);

const program = anchor.workspace.Rustfund as Program<Rustfund>;

// Test variables

const fundName = "TestFund";

const description = "Testing deadline vulnerability";

const goal = new anchor.BN(1000000);

let fundPda: anchor.web3.PublicKey;

it("Allows you to modify the deadline several times", async () => {

// Derivation of PDA address for financing account

[fundPda] = await anchor.web3.PublicKey.findProgramAddress(

[Buffer.from(fundName), provider.wallet.publicKey.toBuffer()],

program.programId

);

// Fund creation

await program.rpc.fundCreate(fundName, description, goal, {

accounts: {

fund: fundPda,

creator: provider.wallet.publicKey,

systemProgram: anchor.web3.SystemProgram.programId,

});

// First deadline assignment

const deadline1 = new anchor.BN(Math.floor(Date.now() / 1000) + 3600); // 1 hour in the future

await program.rpc.setDeadline(deadline1, {

accounts: {

fund: fundPda,

creator: provider.wallet.publicKey,

});

// Second deadline assignment (which should not be possible if the flag is set to true)

const deadline2 = new anchor.BN(Math.floor(Date.now() / 1000) + 7200); // 2 hours into the future

await program.rpc.setDeadline(deadline2, {

accounts: {

fund: fundPda,

creator: provider.wallet.publicKey,

});

// Check that the deadline has been updated to the second value

const fundAccount = await program.account.fund.fetch(fundPda);

assert.ok(

fundAccount.deadline.eq(deadline2),

"The deadline may have been modified several times, but vulnerability presents"

);

});

Save the above test as, for example, tests/02.ts in your project's test directory and run the test :

anchor test

Concrete Impact Example

To illustrate the real-world impact of this vulnerability, consider this scenario:

A creator launches a campaign to fund a project with a goal of 100 SOL
The creator sets an initial deadline of 30 days
Contributors collectively deposit 80 SOL (below the goal)
As the deadline approaches, the creator realizes they won't reach the goal
Instead of allowing refunds as promised, the creator extends the deadline by another 30 days
This pattern can repeat indefinitely, effectively locking contributor funds
Even if contributors try to request refunds, they'll be rejected with "DeadlineNotReached" errors

Recommendation

The fix for this vulnerability is straightforward. The set_deadline() function should be modified to set the dealine_set flag to true after setting the deadline:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

fund.dealine_set = true; // Add this line to fix the vulnerability

Ok(())

}

Updates

Appeal created

bube Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.