RustFund

First Flight #36

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Refund Function Lacks Goal Achievement Verification

lazyrams

Summary

The refund mechanism in RustFund currently allows contributors to claim refunds solely based on the campaign deadline. It does not verify whether the funding goal was unmet before permitting refunds. This behavior contradicts the intended functionality of refunding only when campaigns fail to reach their goals.

Vulnerability Details

In the existing implementation of the refund function, refunds are processed if the campaign deadline is reached, without checking whether the campaign’s funding goal was met. This issue is illustrated by the following snippet:

if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineNotReached.into());

}

This logic only ensures that the deadline has passed, but it does not include a condition to prevent refunds if the goal has been reached. As a result, even if a campaign is successful, contributors can still claim refunds, potentially depleting the funds that the creator is entitled to withdraw.

Impact

Financial Risk: Contributors might reclaim their contributions even after a campaign succeeds, leading to financial discrepancies.

Campaign Integrity: The campaign creator might lose access to legitimately raised funds, undermining trust in the platform.
Platform Reliability: The overall credibility of RustFund as a decentralized crowdfunding platform is compromised, as it deviates from its intended refund logic.

Tools Used

Manual code review

Static analysis of the refund function logic

Recommendations

Add a Goal Check: Modify the refund function to include a condition that checks whether the campaign's funding goal was reached before processing a refund. For example:

if ctx.accounts.fund.amount_raised >= ctx.accounts.fund.goal {
return Err(ErrorCode::GoalReached.into());
}
Define Appropriate Error: Update the ErrorCode enum to include a new error variant (e.g., GoalReached) for situations when refunds are attempted on successful campaigns.
Testing: Implement comprehensive unit and integration tests to ensure that refunds are only processed when the deadline is reached and the campaign goal is not met.

By implementing these changes, the refund mechanism will align with the intended functionality of RustFund, ensuring that contributors can only reclaim funds when a campaign fails to meet its funding goal by the deadline.

Updates

Appeal created

bube Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

There is no check for goal achievement in `refund` function

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.