RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Goal Reached Check in Withdraw Function

sbenarjee7

Summary

The withdraw function in the RustFund program allows the creator to withdraw all raised funds without verifying if the campaign's funding goal has been met, potentially enabling premature or unauthorized withdrawals.

Vulnerability Details

In the current implementation of the withdraw function:

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {

let amount = ctx.accounts.fund.amount_raised;

**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =

ctx.accounts.fund.to_account_info().lamports()

.checked_sub(amount)

.ok_or(ProgramError::InsufficientFunds)?;

**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =

ctx.accounts.creator.to_account_info().lamports()

.checked_add(amount)

.ok_or(ErrorCode::CalculationOverflow)?;

Ok(())

}

There is no check to ensure fund.amount_raised >= fund.goal before allowing withdrawal
No validation of deadline
The creator can withdraw any amount raised at any time, regardless of whether the campaign succeeded

This contradicts the crowdfunding model where funds should only be withdrawable if the campaign meets its goal.

Impact

Funds Misuse: Creators can withdraw partial funds before reaching the goal, potentially abandoning the project
Contributor Trust: Contributors may lose confidence if funds can be withdrawn without meeting stated goals
Financial Loss: Contributors might not receive refunds if funds are withdrawn prematurely
Program Integrity: Undermines the intended functionality of a goal-based crowdfunding platform

Tools Used

Manual code review

Recommendations

Modify the withdraw function to include goal verification and deadline passed checks.

Updates

Appeal created

bube Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

No goal achievement check in `withdraw` function

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.