RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing check on goal in `refund` function

yo4nn

Summary

In refund function, there is a check if the deadline is reached but there is no check that assume that the goals aren't met

Vulnerability Details

In refund function, there is a check if the deadline is reached but there is no check that assume that the goals aren't met, breaking the logic of the refund function as mentionned in the readme.

Only the deadline is checked :

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {
let amount = ctx.accounts.contribution.amount;
if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {
return Err(ErrorCode::DeadlineNotReached.into());
}

Impact

The logic is not in according with the readme so anyone can call the refund function if the deadline is reached and the goal are met which is not the intented purpose of the function.

Tools Used

Manual Review

Recommendations

Add a check that the fund.amount_raised is lower than the fund.goal before authorizing the refund.

if fund.amount_raised >= fund.goal {
return Err(ErrorCode::CampaignSuccessful.into());
}
Updates

Appeal created

bube Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

There is no check for goal achievement in `refund` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.