RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Fund Owners Can Withdraw Funds Prematurely (Rug Risk)

i_atiq

Summary

The withdraw function currently allows creators to withdraw all raised funds without verifying whether the campaign goal has been met. This contradicts the intended behavior as per the documentation, which states that creators should only be able to withdraw funds if their campaign succeeds.

Vulnerability Details

Currently, the function does not check whether amount_raised has reached the required goal before allowing withdrawals. This means a creator can withdraw funds even if the fundraising goal has not been met.

There is no condition in withdraw ensuring that ctx.accounts.fund.amount_raised >= ctx.accounts.fund.goal before funds are withdrawn.

Impact

  • Campaigns may fail to meet their objectives, but creators can still withdraw funds

  • Fund owners can rug pull contributors without meeting campaign goal

Tools Used

  • Manual code review

Recommendations

  • Modify the withdraw function to ensure funds can only be withdrawn if the goal is met:

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {
let amount = ctx.accounts.fund.amount_raised;
+ if amount < ctx.accounts.fund.goal {
+ return Err(ErrorCode::GoalNotMet.into()); // Prevent withdrawal if goal is not reached
+ }
**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.fund.to_account_info().lamports()
.checked_sub(amount)
.ok_or(ProgramError::InsufficientFunds)?;
**ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? =
ctx.accounts.creator.to_account_info().lamports()
.checked_add(amount)
.ok_or(ErrorCode::CalculationOverflow)?;
Ok(())
}
Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No goal achievement check in `withdraw` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.