RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Reentrancy Vulnerability in Contribution Function: Potential Fund Manipulation and Double-Accounting

sloth

Audit Report: RustFund Smart Contract

Commit Hash: b5dd7b0

[H-1] Reentrancy Vulnerability in Contribution Function: Potential Fund Manipulation and Double-Accounting

Description:

The contribute function in the RustFund smart contract updates the fund's state after performing a transfer operation, creating a reentrancy vulnerability. The function increments the amount_raised state variable only after executing an external call to transfer SOL from the contributor to the fund account. By updating state after the transfer, the contract becomes vulnerable to reentrancy attacks where a malicious actor could recursively call back into the contribute function before the initial execution completes.

Impact:

An attacker could exploit this vulnerability to:

Have a single contribution counted multiple times

Artificially inflate the amount_raised value beyond their actual contribution

Manipulate the fundraising metrics to potentially trigger premature goal achievement

Create accounting inconsistencies between actual funds held and reported amounts

This vulnerability threatens the integrity of the fundraising system and could lead to financial losses for the protocol or its users.

Proof of Concept:

Click to expand/collapse the Proof of Concept

describe('RustFund Reentrancy Vulnerability', () => {

it('Demonstrates state inconsistency via reentrancy', async () => {

// Setup accounts

const attacker = anchor.web3.Keypair.generate();

const fundName = "Test Fund";

const [fundPDA] = await PublicKey.findProgramAddress(

[Buffer.from(fundName), creator.publicKey.toBuffer()],

program.programId

);

const ATTACK_COUNT = 3;

console.log(`🔄 Setting up attack to call contribute ${ATTACK_COUNT} times`);

// 1. Create fund

await program.methods

.fundCreate(fundName, "Description", new anchor.BN(100 * LAMPORTS_PER_SOL))

.accounts({

fund: fundPDA,

creator: creator.publicKey,

systemProgram: SystemProgram.programId,

})

.signers([creator])

.rpc();

console.log("✅ Fund created successfully");

// 2. Initial state check

let fundAccount = await program.account.fund.fetch(fundPDA);

console.log("📊 Initial fund state:");

console.log(` - amount_raised: ${fundAccount.amountRaised.toNumber() / LAMPORTS_PER_SOL} SOL`);

// 3. First legitimate contribution (1 SOL)

const contributionAmount = 1 * LAMPORTS_PER_SOL;

console.log(`\n💰 Contributing ${contributionAmount / LAMPORTS_PER_SOL} SOL to fund...`);

await program.methods

.contribute(new anchor.BN(contributionAmount))

.accounts({

fund: fundPDA,

contributor: attacker.publicKey,

contribution: contributionPDA,

systemProgram: SystemProgram.programId,

})

.signers([attacker])

.rpc();

// 4. Simulate reentrancy attack by manually calling contribute additional times

console.log("\n🔥 SIMULATING REENTRANCY ATTACK");

for (let i = 1; i < ATTACK_COUNT; i++) {

console.log(` Reentrant call #${i} of ${ATTACK_COUNT-1}...`);

// Reentrant call - amount=0 because no additional funds would be transferred

await program.methods

.contribute(new anchor.BN(0))

.accounts({

fund: fundPDA,

contributor: attacker.publicKey,

contribution: contributionPDA,

systemProgram: SystemProgram.programId,

})

.signers([attacker])

.rpc();

}

console.log(" Reentrancy attack simulation complete");

// 5. Check final state after attack

fundAccount = await program.account.fund.fetch(fundPDA);

const fundSOLBalance = await provider.connection.getBalance(fundPDA);

console.log("\n🔍 After simulated reentrancy attack:");

console.log(` - State amount_raised: ${fundAccount.amountRaised.toNumber() / LAMPORTS_PER_SOL} SOL`);

console.log(` - Actual fund balance: ${fundSOLBalance / LAMPORTS_PER_SOL} SOL`);

// Calculate the discrepancy

const discrepancy = fundAccount.amountRaised.toNumber() - fundSOLBalance;

if (discrepancy > 0) {

console.log(" ❌ VULNERABILITY CONFIRMED: State inconsistency detected!");

console.log(` 💸 Attack profit opportunity: ${discrepancy / LAMPORTS_PER_SOL} SOL`);

console.log(` 📈 Exploitation factor: ${ATTACK_COUNT}x (Called ${ATTACK_COUNT} times)`);

}

/* Expected terminal output:

🔄 Setting up attack to call contribute 3 times

✅ Fund created successfully

📊 Initial fund state:

- amount_raised: 0 SOL

💰 Contributing 1 SOL to fund...

🔥 SIMULATING REENTRANCY ATTACK

Reentrant call #1 of 2...

Reentrant call #2 of 2...

Reentrancy attack simulation complete

🔍 After simulated reentrancy attack:

- State amount_raised: 3 SOL

- Actual fund balance: 1 SOL

❌ VULNERABILITY CONFIRMED: State inconsistency detected!

💸 Attack profit opportunity: 2 SOL

📈 Exploitation factor: 3x (Called 3 times)

});

Recommended Mitigation:

To prevent reentrancy attacks in the contribute function, implement the Checks-Effects-Interactions (CEI) pattern by updating the fund's state before performing the external SOL transfer. This ensures that any reentrant calls will operate on the updated state, eliminating the possibility of double-counting contributions. Additionally, consider adding a reentrancy guard to explicitly block recursive calls if needed, though CEI alone does suffice in this case.

Here's the corrected version of the contribute function:

Click to expand/collapse the Recommended Mitigation Code

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

let contribution = &mut ctx.accounts.contribution;

+ // Checks: Validate conditions before proceeding

if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineReached.into());

}

// Initialize or update contribution record

if contribution.contributor == Pubkey::default() {

contribution.contributor = ctx.accounts.contributor.key();

contribution.fund = fund.key();

contribution.amount = 0;

}

+ // Effects: Update state before any external interactions

+ contribution.amount = contribution.amount.checked_add(amount)

+ .ok_or(ErrorCode::CalculationOverflow)?;

+ fund.amount_raised = fund.amount_raised.checked_add(amount)

+ .ok_or(ErrorCode::CalculationOverflow)?;

+ // Interactions: Perform external calls after state updates

// Transfer SOL from contributor to fund account

let cpi_context = CpiContext::new(

ctx.accounts.system_program.to_account_info(),

system_program::Transfer {

from: ctx.accounts.contributor.to_account_info(),

to: fund.to_account_info(),

);

system_program::transfer(cpi_context, amount)?;

- fund.amount_raised += amount;

Ok(())

}

Updates

Appeal created

bube Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] Reentrancy

The reentrancy attacks occur when the contract modifies state and makes an external call, allowing the attacker to reenter. The `contribute` function doesn't perform an external call. For the SOL transfer the function uses a system program, not an external call to another smart contract. Therefore, there is no attack vector for reentrancy.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.