RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Contribution Amount Not Properly Tracked

0xblackadam

Summary

A critical vulnerability exists in the crowdfunding contract's contribution tracking mechanism. The current implementation fails to accurately record and accumulate individual user contributions, potentially leading to significant financial discrepancies and compromising the integrity of the fundraising platform.

Vulnerability Details

The vulnerable code segment reveals a fundamental flaw in contribution tracking:

if contribution.contributor == Pubkey::default() {

contribution.contributor = ctx.accounts.contributor.key();

contribution.fund = fund.key();

contribution.amount = 0; // vulnerability

}

Key technical issues include:

- The logic in contribute checks if the contributor has an existing contribution but does not increment their amount.
Contributions are initialized with zero amount
No mechanism to accumulate multiple contributions from the same user
Individual contribution tracking is fundamentally broken
Fund's total amount is updated, but user-specific contributions are not tracked
Repeated contributions will not increase the recorded contribution amount

Impact

Refund will be 0 for contributors
Users cannot verify their total contributions
Incorrect tracking of contributions can lead to disputes between contributors and fund creators.
Contributors who donate multiple times will not have their total contribution accurately recorded.

Recommendations

Correctly initialize and update contribution amounts

if contribution.contributor == Pubkey::default() {

contribution.contributor = ctx.accounts.contributor.key();

contribution.fund = fund.key();

contribution.amount = amount; // Correctly set initial amount

} else {

// Safely accumulate contributions

contribution.amount = contribution.amount

.checked_add(amount)

.ok_or(ErrorCode::CalculationOverflow)?;

}

Tools Used

Manual code review

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Contribution amount is not updated

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.