RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Fund Owner can withdraw more than he is supposed to.

vgcodes

Summary

Fund owner can use withdraw function to get the contribution amount transferred indefinitely.

Vulnerability Details

withdraw function in lib.rs is used by owner of the fund to withdraw the contributed amount from the contributors. With this implementation anyone (Who is the owner) can withdraw the contributed amount for a good cause. However, with this following implementation of the withdraw function

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.creator.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
// There is no decrement of the funds we are trying to withdraw.
Ok(())
}
}

Here we can see, we can take the amount_raised from the fund (if we are the owner), However there is no decrement of the amount_raised , this way a owner can call it indefinitely and potentially drain the contract.

Impact

The contract (Program) can be drained

Tools Used

Manual Analysis/Auditing

Recommendations

Accounting for decrement should be done after each withdraw by the owner

Updates

Appeal created

bube Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`amount_raised` is not reset to 0 in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.