No access control on set_deadline()
Summary
set_deadline() doesn't implement access control
Vulnerability Details
This function implements no access control and can be invoked by anyone when the README clearly states only the creator should be able to invoke it.
Impact
Since there is no access control, any user can maliciously set the deadline to be a time in the past causing the fund to fail, users being able to withdraw their contributions and breaking the whole idea of the protocol.
Tools Used
N/A
Recommendations
Add the following code in the beginning of the set_deadline function:
Appeal created
[Invalid] Lack of access control in `set_deadline` function
There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.