RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Creator can withdraw funds before deadline is reached

chinepun

Summary

The creator is able to initiate a withdrawal before the deadline is reached hence blocking users from a refund if the goal is not reached

Vulnerability Details

This gives creators the oppurtunity to perform a rug pull and steal from the contributors regardless of whether the goal is reached or not

Impact

Contributors will lose access to refunds If creator initiates a withdrawal before deadline is reached and the goal is not eventually met

Tools Used

Manual

POC

Add this test in rustfund.ts#L94 just before the refund is called

//await new Promise(resolve => setTimeout(resolve, 15000)); This shows creator can withdraw before deadline is reached
try{
await program.methods
.withdraw()
.accounts({
fund: fundPDA,
creator: creator.publicKey,
systemProgram: anchor.web3.SystemProgram.programId,
})
.rpc();
console.log("Successful Withdrawal before refund"); // Transaction reaches here hence is successful
}catch(e){
console.log(e);
}

Recommendations

Ensure that withdraw can only be called when deadline has reached
Add this check in withdraw

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}
Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No deadline check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.