RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Inadequate Tracking of Contribution Amounts Preventing Refunds

edoscoba

Summary

The vulnerability lies in the failure of the contract to update the contribution record’s amount when funds are contributed. As a result, contributors are unable to retrieve their funds through the refund mechanism, even when a campaign does not meet its goal and the deadline is reached. This report outlines the technical details, potential impact, and recommendations for remediation.

Vulnerability Details

Flaw Description:
The core issue is found in the contribute function, where a new contribution record is initialized with an amount of zero. Instead of updating the record with the contributed amount, the contract merely transfers the SOL from the contributor to the campaign account. Consequently, the refund logic, which relies on the contribution record’s amount to determine the refundable funds, always perceives the amount as zero.

Code Analysis:
The problematic section in the contribute function is as follows:

if contribution.contributor == Pubkey::default() {

contribution.contributor = ctx.accounts.contributor.key();

contribution.fund = fund.key();

contribution.amount = 0;

}

// Transfer SOL from contributor to fund account

// ...

fund.amount_raised += amount;

The function fails to update contribution.amount with the transferred amount. When a contributor later attempts to request a refund using the refund function, the contract checks the contribution record and finds an amount of zero, resulting in no funds being refunded.

Refund Implications:
The refund function is designed to return contributed funds if a campaign fails (i.e., the deadline is reached without meeting the funding goal). However, due to the zeroed contribution amount, even eligible contributors do not receive any reimbursement, leaving their funds effectively locked within the contract.

Impact

Financial Loss for Contributors:
Contributors expecting a refund in the event of an unsuccessful campaign will not be able to recover their funds. This creates a direct financial risk for users and undermines the trust in the crowdfunding platform.

Reputation and Trust:
The inability to refund contributions as promised severely damage the platform’s reputation. Trust is a critical component in decentralized crowdfunding, and such vulnerabilities discourage future contributions, hindering the platform’s growth.

Tools Used

Manual Review

Recommendations

Update Contribution Record:
Modify the contribute function to properly update the contribution.amount with the contributed funds. For instance, if the record is uninitialized, set it to the contributed amount; if it already exists, increment it accordingly:

if contribution.contributor == Pubkey::default() {

contribution.contributor = ctx.accounts.contributor.key();

contribution.fund = fund.key();

contribution.amount = amount;

} else {

contribution.amount = contribution.amount.checked_add(amount).ok_or(ErrorCode::CalculationOverflow)?;

}

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Contribution amount is not updated

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.