Missing access control at set_deadline()
Vulnerability Details
There's no check to validate that the caller of the function is the creator leaving the function vulnerable to missing access control.
Impact
anyone can call set_deadline() and set a deadline.
Tools Used
Manual review.
Recommendations
add a check to validate that the caller is the creator before setting the deadline.
Appeal created
[Invalid] Lack of access control in `set_deadline` function
There is no need for additional checks of the caller's key inside the `set_deadline` function because Anchor verifies the `has_one = creator` constraint before executing the function. This ensures that the creator field inside the fund account must match the creator (signer) passed to the function: ``` #[account(mut, has_one = creator)] pub fund: Account<'info, Fund> ``` If they don’t match, the transaction fails. Also, signer verification is included: ``` #[account(mut)] pub creator: Signer<'info>, ``` The creator account must be a signer, meaning the transaction must be signed using the creator's private key.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.