RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

No Contribution Cap in RustFund Contract

osuolale

Summary

The contribute function allows contributions to exceed the funding goal, leading to potential overfunding.

Vulnerability Details

The vulnerable code is in the contribute function:

rust

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
// Transfer logic...
fund.amount_raised += amount;
Ok(())
}

  • No Limit: No check prevents amount_raised from exceeding goal.

Impact

  • Logic Disruption: Overfunding may confuse campaign status or payout logic.

  • User Experience: Contributors may overpay unintentionally.

Tools Used

Manual Review

Recommendations

Cap contributions:

rust

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.amount_raised + amount > fund.goal {
return Err(ErrorCode::GoalExceeded.into());
}
// Transfer logic...
fund.amount_raised += amount;
Ok(())
}

Add new error code:

rust

#[error_code]
pub enum ErrorCode {
// ... existing errors ...
#[msg("Contribution exceeds funding goal")]
GoalExceeded,
}
Updates

Appeal created

bube Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[Invalid] The contributions are allowed even after the campaign's goal is reached

Typically the crowdfunding campaigns allow contribution after the goal is achieved. This is normal, because the goal is the campaign to raise as much as possible funds. Therefore, this is a design choice.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.