Submission Details
Severity:
The fund will still continue to be open for contributions even after the contribution withdrawal
Summary
`lib.rs` implements a functionality where owner can withdraw the contributed funds by the following function
pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.creator.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
Ok(())
}
Here, even if the all the funds are withdraws from the fund, it would still continue to be open towards contribution, which is logically incorrect, this will allow the fund creator to get as much fundings as he like.
Impact
The fund will still be continue to work even after a withdrawl
Tools Used
Manual Analysis
Recommendations
Making the fund non-contributable after a withdraw by owner
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.