RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

dealine_set Flag is Not Updated After Updating Deadline

i_atiq

Summary

The set_deadline function does not update the dealine_set flag after setting the deadline. As a result, the function can be called multiple times, allowing the fund creator to change the deadline arbitrarily.

Vulnerability Details

In the set_deadline function, the dealine_set flag is intended to prevent multiple modifications to the deadline. However, after setting fund.deadline, the flag is not updated to true, meaning that a fund owner can repeatedly call the function and override the deadline. If goal is not reached, he can keep updating deadline to prevent users from getting refund

Impact

  • The fund creator can arbitrarily change the deadline at any time.

  • This could lead to manipulation such as extending the deadline indefinitely

Tools Used

  • Manual code review

Recommendations

  • Update the dealine_set flag when the deadline is set:

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline;
+ fund.dealine_set = true;
Ok(())
}
Updates

Appeal created

bube Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Deadline set flag is not updated in `set_deadline` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.