Submission Details
Severity:
Repeated Deadline Setting (a malicious Creator Can Lock Contributions Forever)
Summary
This function is responsible for setting deadlines for the fundraising rounds by checking if the deadline has been set previously
pub fn set_dealine(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.dealine = dealine;
Ok(())
}
Since set_deadline checks fund.dealine_set before setting a deadline, but dealine_set is never updated to true, the fund creator can keep modifying the deadline indefinitely.
Impact
The creator can extend the deadline unfairly, preventing refunds or delaying fund withdrawal.
Tools Used
Manual review
Recommendations
You should update fund.dealine_set = true; inside set_deadline:
pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
+ fund.dealine_set = true; // FIX: Ensure the deadline cannot be changed again
Ok(())
}
Updates
Appeal created
bube 2 months ago
Submission Judgement Published Assigned finding tags:
Deadline set flag is not updated in `set_deadline` function
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.