RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Contribution is never Finalized

cd_pandora

Summary

The contribute methos in the program do not check if the campaign goal (fund.goal) has been reached before executing their logic. This allows contributions to exceed the goal and refunds to proceed without considering if goal has been reached, which could lead to overfunding.

Vulnerability Details

Contribute Method: The contribute function allows contributions even after the fund.amount_raised exceeds fund.goal. There is no check to prevent further contributions once the goal is met.

2025-03-rustfund/programs/rustfund/src/lib.rs at main · CodeHawks-Contests/2025-03-rustfund

Impact

Contributors can add funds beyond the campaign goal, leading to potential confusion or mismanagement of funds. For example, if a campaign aims for 1 SOL but receives 2 SOL, the excess funds aren't handled or capped, which may violate the campaign's intent.

Tools Used

Recommendations

Add a check to prevent contributions if they would exceed the goal. For example:

if fund.amount_raised.checked_add(amount).ok_or(ErrorCode::CalculationOverflow)? > fund.goal {
return Err(ErrorCode::GoalReached.into());
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[Invalid] The contributions are allowed even after the campaign's goal is reached

Typically the crowdfunding campaigns allow contribution after the goal is achieved. This is normal, because the goal is the campaign to raise as much as possible funds. Therefore, this is a design choice.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.