RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Deadline can be updated, holding user funds hostage

peter

Summary

Deadline can be updated arbitrarily by fund creator. Apart from being contrary to contract intent, user funds can also be held hostage by arbitrarily extending the deadline.

Vulnerability Details

The fund.dealine_set parameter is never actually set to true when deadline is set. Thus deadline can be updated, which is contrary to the function's intent. This allows the fund owner to arbitrarily extend the deadline, holding user funds hostage. The deadline can also be set to the past, which although no clear impact exists in this case, is still not good business logic:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
Ok(())
}

https://github.com/CodeHawks-Contests/2025-03-rustfund/blob/b5dd7b0ec01471667ae3a02520701aae405ac857/programs/rustfund/src/lib.rs#L55-L63

Impact

Deadline can be updated more than once. Potential risk of user funds being held hostage.

Tools Used

Manual inspection

Recommendations

Set fund.dealine_set parameter after deadline set:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
+ fund.dealine_set = true;
Ok(())
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.