RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Access Control Issues – Unrestricted Fund Withdrawals

bsac

Summary

The withdraw function does not properly enforce access control, allowing any user to withdraw funds from any fund. This means an attacker could steal funds from other campaigns by specifying a fund they do not own.

If exploited, this vulnerability could lead to loss of user funds, donor fraud, and reduced trust in the crowdfunding platform.

Vulnerability Details

Vulnerable code:

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.creator.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
Ok(())
}

Issue:

  • There is no verification to ensure that only the fund creator can withdraw funds.

  • An attacker can pass any fund's address as input and steal funds from other campaigns

Impact

** Complete loss of funds** for affected fundraisers.

  • Malicious actors can drain any fund without ownership verification.

  • Loss of trust in the crowdfunding platform, leading to lower user adoption.

Tools Used : Manually

Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[Invalid] Lack of access control in `withdraw` function

There are enough security checks in `withdraw` function. Anchor enforces that creator must sign the transaction. And the `has_one = creator` ensures that the fund’s creator matches the provided creator account.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.