RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[L-1] Users can `contribute` and `refund` even if the Campaign doesn't have a set deadline

xkeywordx

Summary

According to the design of the protocol, users should be able to call the contribute function once a campaign has a deadline set.

Vulnerability Details

The issue with the current code is that this behavior is not enforced. We can take a look at the contribute function code

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
//..
//@audit if `fund.deadline == 0` this check will pass
if fund.deadline != 0 && fund.deadline < Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineReached.into());
}
//..
//..
}

When Creators make a new fund the deadline is initialized to zero fund.deadline = 0. This means that as soon as a fund is created users can deposit SOL into it via contribute and they can also call refund because the refund function has a similar check.

Impact

Breaks an assumption about the behavior of the protocol. Users are able to contribute to campaigns and withdraw their funds outside the intended time interval.

Tools Used

Manual review

Recommendations

if !fund.dealine_set {
return Err(ErrorCode::NotStarted.into())
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

[Invalid] Contributions are allowed before the deadline is initialized.

There is no problem users to contribute to a given campaign before the deadline is initialized. The issue is when the users refund before the deadline is set.

Possible refund before the deadline is initialized

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.