Insufficient input validation leading to PDA derivation errors
Summary
The function fund_create lacks strict validation for user-provided input, particularly for the name and description fields. This deficiency may lead to errors in PDA derivation and potential account mismatches.
Vulnerability Details
The code assigns name and description directly from user input without ensuring they conform to expected length or format restrictions. PDA derivation relies on a correct and consistent name input combined with the creator’s key and unvalidated inputs might lead to unexpected behavior or failure in account lookups, compromising contract reliability.
Impact
Incorrect PDA derivation may result in funds being locked in inaccessible or unintended accounts.
Tools Used
Manual Code Review: Analyzed the code to identify missing validation checks.
Recommendations
Enforce strict length and format validations on the name and description inputs.
Reject inputs that do not meet the predefined criteria to ensure consistent PDA derivation.
Introduce specific error codes such as NameTooLong, DescriptionTooLong, InvalidNameFormat.
Appeal created
[Invalid] Lack of length validation of `name` and `description` in `fund_create` function
There is a validation for the lengths of `name` and `description` in `fund_create` function: ``` pub struct Fund { #[max_len(200)] pub name: String, #[max_len(5000)] ..... } ``` Anchor will check for the lengths of these parameters and the function will fail if they have more characters than the constraints.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.