RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Contribution Amount Validation

sbenarjee7

Summary

The contribute function in the RustFund program lacks validation on the amount parameter, allowing contributions of any value, including 0, extremely small "dust" amounts, or values that could potentially cause arithmetic overflows when added to fund.amount_raised. This absence of checks can lead to edge cases that affect program behavior and usability.

Vulnerability Details

In the contribute function:

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
let contribution = &mut ctx.accounts.contribution;
if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineReached.into());
}
if contribution.contributor == Pubkey::default() {
contribution.contributor = ctx.accounts.contributor.key();
contribution.fund = fund.key();
contribution.amount = 0;
}
let cpi_context = CpiContext::new(
ctx.accounts.system_program.to_account_info(),
system_program::Transfer {
from: ctx.accounts.contributor.to_account_info(),
to: fund.to_account_info(),
},
);
system_program::transfer(cpi_context, amount)?;
fund.amount_raised += amount;
Ok(())
}

  • The amount parameter (type u64) is passed directly to the system_program::transfer call and added to fund.amount_raised without validation.

  • No minimum check exists to prevent amount = 0 or dust amounts (e.g., 1 lamport).

  • No overflow check is explicitly implemented using checked_add, though the Solana runtime might catch some overflow cases during lamport transfers.

  • No upper bound check ensures amount doesn't exceed available contributor funds or a reasonable contribution limit.

This allows:

  • Contributions of 0 lamports, which are meaningless and could spam the system.

  • Tiny contributions (e.g., 1 lamport) that increase transaction volume without meaningful impact.

  • Large contributions that might overflow fund.amount_raised if not mitigated elsewhere (e.g., if fund.amount_raised + amount > u64::MAX).

Impact

  • Spam Risk: Zero or dust contributions could be used to create numerous Contribution accounts, increasing storage costs and potentially clogging the program with irrelevant data.

  • Overflow Potential: Without explicit overflow protection, adding a large amount to fund.amount_raised could theoretically wrap around (though Solana's lamport transfer might fail first), leading to inconsistent state.

  • Usability Issues: Lack of a minimum contribution threshold might confuse users or allow trivial contributions that don’t align with the platform’s purpose.

  • Resource Waste: Processing and storing negligible contributions consumes compute units and account space unnecessarily.

Tools Used

Manual Review

Recommendations

Add validation to the contribute function to enforce minimum and maximum contribution limits, and use safe arithmetic.

  • Minimum Check: Set a reasonable minimum (e.g., 0.0001 SOL) to prevent spam and ensure meaningful contributions.

  • Overflow Protection: Use checked_add for both fund.amount_raised and contribution.amount to prevent arithmetic overflow.

  • Optional Upper Limit: Could add a maximum contribution check (e.g., 1M SOL) if desired, though the Solana runtime will fail transfers exceeding available lamports.

Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Arithmetic overflow in `contribute` function

The max value of u64 is: 18,446,744,073,709,551,615 or around 18.4 billion SOL, given that the total supply of SOL on Solana is 512.50M, the scenario when the `contribute` function will revert due to overflow is very very unlikely to happen. Therefore, this is informational finding.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.