Lack of Deadline Validation Allows Past Dates
Summary
The RustFund contract does not validate whether a campaign's deadline is set in the future. This allows a creator to set a deadline in the past, which can result in instant expiration, unfairly preventing contributions or immediately triggering refund conditions.
Vulnerability Details
Currently, when a campaign creator sets a deadline, there is no validation ensuring that the deadline is later than the current blockchain timestamp. This means a creator can mistakenly set a deadline that has already passed.
Example Scenario:
A creator launches a campaign and sets the deadline to a past timestamp (e.g., yesterday).
The campaign is immediately marked as expired, even though no contributions have been made.
Problematic Code
Impact
Instant Campaign Expiry: Contributors may attempt to fund campaigns that are already expired, leading to failed transactions.
Unfair Refund Triggering: Malicious creators could trigger refund conditions immediately to manipulate funds.
Tools Used
Manual Code Review
Recommendations
Enforce Future Deadlines: Modify the set_deadline function to validate that the deadline is greater than the current blockchain timestamp.
Appeal created
[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function
The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.