Submission Details
Severity:
No check if the goal was reached for owner withdraw
Summary
owner of the crowdfunding can withdraw at any time before the goal was reached.
Vulnerability Details
owner of the crowdfunding can withdraw at any time before the goal was reached, which the docs state that it should be possible after the deadline is over and the goal is completed.
pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.creator.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
Ok(())
}
}
Impact
owner can retrieve value before when he is supposed to.
Tools Used
manual
Recommendations
check if the goal was reached before withdrawing.
Updates
Appeal created
bube 5 months ago
Submission Judgement Published Assigned finding tags:
No goal achievement check in `withdraw` function
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.