RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Check if Deadline Passed is in the Past in set_deadline function

0xblackadam

Summary

A critical vulnerability exists in the set_deadline function of the crowdfunding contract where there is no validation to prevent setting deadlines in the past, potentially compromising the fundamental time-based constraints of the fundraising mechanism.

Vulnerability Details

The problematic code segment reveals the lack of past deadline validation:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

// No validation for past deadlines

fund.deadline = deadline;

Ok(())

}

Key technical issues include:

No check to verify if the provided deadline is in the future
Allows setting deadlines in the past
Breaks the logical integrity of fundraising timelines
Potential manipulation of fund lifecycle
Compromises time-based fundraising constraints

Impact

The vulnerability creates severe consequences:

Ability to set invalid historical deadlines
Disruption of expected fundraising mechanics
Opportunities for malicious time manipulation
Setting deadlines that have already passed
Creating funds with retroactive time constraints
Undermining the purpose of time-based fundraising

Recommendations

Immediate and comprehensive recommendations include:

Implement Deadline Validation

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

// Check if deadline is already set

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

// Validate deadline is in the future

let current_timestamp = Clock::get()?.unix_timestamp.try_into().unwrap();

if deadline <= current_timestamp {

return Err(ErrorCode::InvalidDeadline.into());

}

// Set deadline and mark as set

fund.deadline = deadline;

fund.dealine_set = true;

Ok(())

}

Tools Used

Manual code review
Static code analysis

Updates

Appeal created

bube Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] Lack of validation of the `deadline` parameter in `set_deadline` function

The creator has an incentive to pay attention to the deadline and provide correct data. If the `deadline` is set in the past, the campaign will be completed. If there are any funds the creator or the contributors (depending on the success of the campaign) can receive them. It is the creator's responsibility to set correct deadline, otherwise the creator can create a new campaign. There is no impact on the protocol from this missing check, so I consider this to be an informational issue.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.