RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Refund Goal Check Missing in RustFund Contract

osuolale

Summary

The refund function allows refunds based solely on the deadline passing, without checking if the funding goal was unmet, misaligning with the requirement that refunds occur only "if goals aren't met."

Vulnerability Details

The vulnerable code is in the refund function:

rust

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {
let amount = ctx.accounts.contribution.amount;
if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}
// Refund logic...
Ok(())
}

Missing Goal Condition: No check for fund.amount_raised < fund.goal.

  • Deadline-Only Logic: Assumes failure if deadline passes, ignoring goal status.

Impact

Funds Misallocation: Refunds could occur even if the goal is met, contradicting contributor intent.

  • Logic Disruption: Misrepresents campaign failure conditions.

Tools Used

Manual Review

Recommendations

Add a goal check:

rust

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {
let fund = &ctx.accounts.fund;
let amount = ctx.accounts.contribution.amount;
let current_time = Clock::get()?.unix_timestamp.try_into().unwrap();
if fund.deadline != 0 && fund.deadline > current_time {
return Err(ErrorCode::DeadlineNotReached.into());
}
if fund.amount_raised >= fund.goal {
return Err(ErrorCode::GoalMet.into());
}
// Refund logic...
Ok(())
}

Add new error code:

rust

#[error_code]
pub enum ErrorCode {
// ... existing errors ...
#[msg("Campaign goal met, no refund allowed")]
GoalMet,
}
Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

There is no check for goal achievement in `refund` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.