Submission Details
Severity:
Refund function not checking if goal was reached.
Summary
refund function not checking if the goal was reached.
Vulnerability Details
refundfunction does not check if the goal was reached, so even if it was reached but the owner didn't withdrawl the money yet depositors could get them back.
pub fn refund(ctx: Context<FundRefund>) -> Result<()> {
let amount = ctx.accounts.contribution.amount;
if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.contributor.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.contributor.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
// Reset contribution amount after refund
ctx.accounts.contribution.amount = 0;
Ok(())
}
Impact
the idea of crowdfunding is that contributors can only recover their money if the deadline or the goal was reached but even if the goal was reached contributors can still get their money back.
Tools Used
manual
Recommendations
check if goal of the crowdfunding was reached, if not allow for refund
Updates
Appeal created
bube 5 months ago
Submission Judgement Published Assigned finding tags:
There is no check for goal achievement in `refund` function
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.