Missing input validation for string lengths
Summary
Potential account size overflow or DoS
Vulnerability Details
An attacker could attempt to pass oversized strings, potentially causing:
Impact
Malicious user creates a fund with a name > 200 bytes or description > 5000 bytes
causing account initialization failure, excessive compute unit consumption and unexpected behavior in clients parsing the data in front-end applications.
Although this is partially mitigated by Anchor's serialization, explicit checks improve security.
Tools Used
Manual review
Recommendations
Add explicit length checks.
Appeal created
[Invalid] Lack of length validation of `name` and `description` in `fund_create` function
There is a validation for the lengths of `name` and `description` in `fund_create` function: ``` pub struct Fund { #[max_len(200)] pub name: String, #[max_len(5000)] ..... } ``` Anchor will check for the lengths of these parameters and the function will fail if they have more characters than the constraints.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.