Summary

The refund function processes refunds by transferring lamports from the fund account back to the contributor and resetting the contribution amount. However, the function fails to update the fund's internal amount_raised variable, resulting in an inconsistency between the on-chain lamport balance and the recorded fund amount.

Vulnerability Details

In the refund function, after transferring the amount from the fund to the contributor, only the contributor’s refund and the contribution record are updated. The fund`s internal tracking variable (amount_raised) is not decremented by the refunded amount.

Impact

The fund’s recorded balance amount_raised remains artificially high, creating a discrepancy between the on-chain state and the actual lamport balance held in the account. Future operations that depend on the accurate state of amount_raised may behave unexpectedly or fail due to this inconsistency.

Tools Used

Manual Code Review: A detailed examination of the refund function to trace the lamport transfer process and state updates.

Recommendations

Modify the refund function to decrement the amount_raised by the refunded amount.