RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Unsafe Direct Lamport Manipulation in refund(), withdraw() Functions

lazyrams

Summary

The refund function in the provided code directly manipulates the lamports of accounts using try_borrow_mut_lamports(). This approach bypasses the Solana runtime's safety checks, leading to potential security vulnerabilities and program instability.

Vulnerability Details

In the refund function, lamports are transferred between accounts by directly adjusting their balances:

**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.fund.to_account_info().lamports().checked_sub(amount).ok_or(ProgramError::InsufficientFunds)?;

**ctx.accounts.contributor.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.contributor.to_account_info().lamports().checked_add(amount).ok_or(ErrorCode::CalculationOverflow)?;

This method of direct lamport manipulation can lead to several issues:

Bypassing Rent Exemption Checks: Accounts in Solana must maintain a minimum balance to be rent-exempt. Directly reducing an account's lamports without verifying rent exemption can result in the account being marked for deletion by the Solana runtime.
Ownership Constraints: Only the owning program of an account can modify its data and lamport balance. Direct manipulation without proper checks can violate these constraints, leading to program errors.
Lack of Atomicity: Direct lamport transfers lack the atomic transaction guarantees provided by the system program's transfer instruction, potentially leading to inconsistent states in case of program interruptions.

Impact

Exploiting this vulnerability can result in unauthorized fund transfers, violation of Solana's account ownership rules, and potential loss of funds due to accounts becoming non-rent-exempt.

Tools Used

Code analysis and Solana's official documentation.

Recommendations

Replace the direct lamport manipulation with Solana's system program transfer instruction to ensure safe and compliant fund transfers in refund() & withdraw() functions:

let cpi_context = CpiContext::new(

ctx.accounts.system_program.to_account_info(),

system_program::Transfer {

from: ctx.accounts.fund.to_account_info(),

to: ctx.accounts.contributor.to_account_info(),

);

system_program::transfer(cpi_context, amount)?;

This approach leverages Solana's native mechanisms for transferring lamports, ensuring adherence to the platform's safety and security protocols.

Updates

Appeal created

bube Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unsafe direct lamport manipulation

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.