Summary

The "rustfund" contract has a high-severity vulnerability in the FundSetDeadline function, allowing the creator to set the fund’s deadline multiple times. The function includes a check to prevent this using a dealine_set flag (likely a typo for deadline_set), but it fails to update this flag to true after setting the deadline. As a result, the creator can repeatedly modify the deadline, potentially manipulating the crowdfunding timeline to delay refunds or extend the campaign indefinitely. This undermines the contract’s integrity and contributor trust, as a fixed deadline is a standard expectation in crowdfunding systems.

Vulnerability Details

The vulnerability occurs in the FundSetDeadline function, which is intended to allow the creator to set a deadline for the fund only once. However, due to a missing update to the dealine_set flag, the restriction is ineffective, enabling multiple deadline changes.

Root Cause

The root cause is the omission of an instruction to set fund.dealine_set = true after updating fund.deadline. The function checks the flag to prevent re-setting but does not mark the deadline as set, allowing subsequent calls to succeed. Below is the relevant code snippet:

In this snippet:

• if fund.dealine_set checks whether the deadline has already been set, intending to block further changes.

• If the check passes (i.e., dealine_set is false), fund.deadline is updated to the new value.

• However, there is no subsequent fund.dealine_set = true; to indicate the deadline has been set, so dealine_set remains false (its default value from FundCreate).

• Note the typo: dealine_set should be deadline_set, as defined in the Fund struct, though this doesn’t affect functionality in this context since the field is consistently misspelled.

The Fund struct confirms the presence of the flag:

In FundCreate, dealine_set is initialized to false:

Since FundSetDeadline never updates this flag, it remains false, allowing the creator to call the function repeatedly.

Impact

This vulnerability has significant implications for the contract’s operation and fairness:

• Timeline Manipulation: The creator can change the deadline multiple times, extending the campaign indefinitely or shortening it to trigger immediate refund eligibility. For example, they could set a distant deadline, collect funds, then reset it to a past date to block refunds while withdrawing funds (exacerbated by the second vulnerability).

• Interaction with Other Functions:

  • In FundContribute, contributions are blocked if the deadline has passed (deadline < current_time), so extending the deadline allows more contributions.

  • In FundRefund, refunds are only allowed after the deadline, so delaying it prevents contributors from reclaiming funds.

Tools Used

• Manual Code Review

Recommendations

To address this vulnerability, the following steps are recommended:

1. Update the dealine_set Flag in FundSetDeadline:
   Modify the FundSetDeadline function to set fund.dealine_set = true after updating the deadline, ensuring it can only be set once. Here’s the corrected code snippet:

   pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

   let fund = &mut ctx.accounts.fund;

   if fund.dealine_set {

   return Err(ErrorCode::DeadlineAlreadySet.into());

   }

   fund.deadline = deadline;

   fund.dealine_set = true; // Add this line to mark deadline as set

   Ok(())

   }

2. Fix the Typo:
   Correct the typo from dealine_set to deadline_set for consistency and clarity across the contract. Update all instances:

   • In the Fund struct:

     pub deadline_set: bool, // Corrected from dealine_set

   • In FundCreate:

     fund.deadline_set = false; // Corrected

   • In FundSetDeadline:

     if fund.deadline_set { // Corrected

     return Err(ErrorCode::DeadlineAlreadySet.into());

     }

     fund.deadline_set = true; // Corrected