RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Refund function allows withdrawals when deadline is not set (deadline = 0)

0xWithdrawers

The refund() function in the rustfund program contains a vulnerability that allows contributors to withdraw funds at any time when the campaign creator has not set a deadline. The deadline is initialized to 0 during campaign creation, and if the creator never sets a deadline, the refund check condition is bypassed due to a logical flaw in the condition:

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {

let amount = ctx.accounts.contribution.amount;

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineNotReached.into());

}

// ... remainder of refund code ...

}

The key issue is that the function only blocks refunds when both conditions are true:

The deadline is not 0 (deadline != 0)
The deadline has not been reached (deadline > current_time)

This means that when a deadline is set to 0 (the default value), the first condition fails, the entire check is skipped, and refunds are allowed regardless of goal achievement or time constraints.

Impact

Premature fund withdrawal: Contributors can withdraw their funds at any time if no deadline is set, which violates the stated project documentation that refunds should "only be possible if the goal is not reached and the deadline is exceeded."
Campaign destabilization: Creators who intend to set a deadline later (but haven't yet) may find their campaigns undermined by contributors withdrawing funds prematurely.
Trust model violation: The platform's trust model is based on rules that ensure funds remain locked until specific conditions are met. This vulnerability allows contributors to bypass these conditions.
Campaign failure: Active campaigns may fail unexpectedly if contributors choose to withdraw funds due to this vulnerability, even when the project is progressing as expected.

Proof of Concept (PoC)

The following test demonstrates how a contributor can withdraw funds from a campaign that has no deadline set:

import * as anchor from "@coral-xyz/anchor";

import { Program } from "@coral-xyz/anchor";

import { Rustfund } from "../target/types/rustfund";

import { assert } from "chai";

describe("VULN-03: Refund vulnerability when deadline is not set", () => {

// Configure the provider to use the local cluster

const provider = anchor.AnchorProvider.env();

anchor.setProvider(provider);

const program = anchor.workspace.Rustfund as Program<Rustfund>;

// Test variables for a fund without a deadline (deadline remains 0)

const fundName = "TestFundNoDeadline";

const description = "Testing refund vulnerability when no deadline is set (deadline = 0)";

const goal = new anchor.BN(1000000);

let fundPda: anchor.web3.PublicKey;

let contributionPda: anchor.web3.PublicKey;

// Generate a separate contributor keypair for the first test case

const contributor = anchor.web3.Keypair.generate();

// Airdrop SOL to the contributor for the first test case

before(async () => {

const airdropSig = await provider.connection.requestAirdrop(

contributor.publicKey,

2e9 // 2 SOL in lamports

);

await provider.connection.confirmTransaction(airdropSig);

});

it("Allows refund even when deadline is not set (deadline = 0)", async () => {

// Derive the PDA for the fund account using fundName and the creator's public key

[fundPda] = await anchor.web3.PublicKey.findProgramAddress(

[Buffer.from(fundName), provider.wallet.publicKey.toBuffer()],

program.programId

);

// Create the fund (deadline is initialized to 0 by fund_create)

await program.rpc.fundCreate(fundName, description, goal, {

accounts: {

fund: fundPda,

creator: provider.wallet.publicKey,

systemProgram: anchor.web3.SystemProgram.programId,

});

// Derive the PDA for the contribution account using the fund PDA and the contributor's public key

[contributionPda] = await anchor.web3.PublicKey.findProgramAddress(

[fundPda.toBuffer(), contributor.publicKey.toBuffer()],

program.programId

);

// Contributor makes a contribution (e.g., 1 SOL = 1e9 lamports)

const contributionAmount = new anchor.BN(1e9);

await program.rpc.contribute(contributionAmount, {

accounts: {

fund: fundPda,

contributor: contributor.publicKey,

contribution: contributionPda,

systemProgram: anchor.web3.SystemProgram.programId,

signers: [contributor],

});

// At this point, the fund's deadline remains 0.

// Due to the vulnerability, the refund function does not check for a missing deadline.

await program.rpc.refund({

accounts: {

fund: fundPda,

contributor: contributor.publicKey,

contribution: contributionPda,

systemProgram: anchor.web3.SystemProgram.programId,

signers: [contributor],

});

// Fetch the contribution account to verify that the refund reset the contribution amount to 0

const contributionAccount = await program.account.contribution.fetch(contributionPda);

assert.ok(

contributionAccount.amount.eq(new anchor.BN(0)),

"Contribution amount should be reset to 0 after refund"

);

});

Save the above test as tests/03.ts in your project's test directory and run the test:

anchor test

Concrete Impact Example

To illustrate the real-world impact of this vulnerability, consider this scenario:

A creator launches a campaign to fund a 100 SOL project without immediately setting a deadline.
The creator plans to finalize and set the deadline once initial interest is confirmed.
Contributors begin funding the campaign, reaching 50 SOL.
Before the creator sets a deadline, contributors discover they can withdraw their funds at any time.
Contributors begin withdrawing funds unexpectedly, causing the campaign balance to drop.
The creator is unable to prevent these withdrawals without setting a deadline.
Even after setting a deadline, any contributions made before the deadline was set could have already been withdrawn.

Recommendation

The refund() function should be modified to enforce the business rules stated in the documentation:

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {

let amount = ctx.accounts.contribution.amount;

let fund = &ctx.accounts.fund;

// First ensure a deadline has been set

if fund.deadline == 0 {

return Err(ErrorCode::DeadlineNotSet.into());

}

// Then ensure the deadline has been reached

if fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineNotReached.into());

}

// Finally, check if the goal has been met (optional additional check based on documentation)

if fund.amount_raised >= fund.goal {

return Err(ErrorCode::GoalReached.into());

}

// ... remainder of refund code ...

Ok(())

}

Additionally, a new error code should be added to the ErrorCode enum:

#[error_code]

pub enum ErrorCode {

// ... existing error codes ...

#[msg("Deadline not set")]

DeadlineNotSet,

#[msg("Goal has been reached")]

GoalReached,

}

This fix ensures that refunds are only possible when:

A deadline has been set
The deadline has been reached
The funding goal has not been met

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Possible refund before the deadline is initialized

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.