RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted Withdrawals Allowing Premature Fund Access

albert

Summary

The withdraw function allows creators to withdraw funds without verifying if the campaign has met its funding goal or if the deadline has passed. This violates the requirement that creators can only withdraw funds after a successful campaign.

Vulnerability Details

In the withdraw function, there are no checks to confirm whether the campaign's funding goal has been achieved or if the deadline has been reached. This allows the creator to withdraw funds immediately after creation, regardless of the campaign's status.

Impact

Creators can drain funds prematurely, leaving contributors unable to claim refunds even if the campaign fails. This breaks the core trust model of the platform.

Tools Used

Manual code review

Recommendations

Add checks in the withdraw function to ensure the deadline has passed and the goal has been met:

if fund.deadline == 0 || Clock::get().unwrap().unix_timestamp < fund.deadline as i64 {
return Err(ErrorCode::DeadlineNotReached.into());
}
if fund.amount_raised < fund.goal {
return Err(ErrorCode::GoalNotMet.into());
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.