Summary

The contract allows contributors to send funds to a campaign even if the creator has not set a deadline. This results in an open-ended campaign where funds can be contributed indefinitely without clear resolution criteria. Such behavior contradicts standard crowdfunding principles, where campaigns operate within predefined time frames.

Vulnerability Details

In the RustFund contract, each campaign has a deadline field, but there is no enforcement ensuring that a deadline must be set before contributions are accepted. The contribute function does not check if the deadline_set flag is true, allowing contributions even when a deadline is absent.

Affected Code

Since the contribute function does not validate whether a deadline is set, contributions can be made to campaigns that have no expiration date. This creates unclear conditions for refunds, fund withdrawals, and campaign closure.

Impact

• Indefinite Fundraising: Campaigns without deadlines can collect funds indefinitely, leading to abandoned or forgotten campaigns with locked funds.

• Refund Ambiguity: Contributors might expect a refund after a reasonable timeframe, but without a deadline, refunds may never be triggered.

• Campaign Mismanagement: The creator may never finalize the campaign, leaving contributors without clarity on fund utilization.

Tools Used

Manual Review

Recommendations

• Enforce Deadline Before Contribution: Modify the contribute function to ensure a deadline is set before allowing contributions.

• Automatically Assign Default Deadlines: If a creator does not set a deadline, consider enforcing a default expiration period (e.g., 30 days).