RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Refunds does not check if Goal is met

cd_pandora

Summary

The refund method in the program does not check if the campaign goal (fund.goal) has been reached before allowing refunds. This allows contributors to reclaim funds even if the campaign successfully met its goal, which may undermine the intended behavior of a successful crowdfunding campaign.

Vulnerability Details

The refund function processes refunds based solely on the deadline, without considering whether the campaign reached its funding goal (fund.amount_raised >= fund.goal).

Allowing contributors towithdraw their funds after the deadline even if the campaign succeeded.

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}

Impact

Creators expecting to keep funds from a successful campaign may lose those funds if contributors refund after the deadline.

Tools Used

Recommendations

Add Goal Check in Refund Method

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() && ctx.accounts.fund.amount_raised >= ctx.accounts.fund.goal {
return Err(ErrorCode::DeadlineNotReached.into());
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

There is no check for goal achievement in `refund` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.