Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

No Validation on Campaign Name and Description Lengths

0xki

Root + Impact

Description

While the Fund struct defines #[max_len(200)] for name and #[max_len(5000)] for description, there's no validation that these strings are non-empty. A campaign could be created with empty name and description, reducing discoverability and creating poor UX.

pub fn fund_create(ctx: Context<FundCreate>, name: String, description: String, goal: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
fund.name = name; // ❌ No validation that name.len() > 0
fund.description = description; // ❌ No validation
// ...
}

#[account]
#[derive(InitSpace)]
pub struct Fund {
#[max_len(200)]
pub name: String, // Max length enforced, but not min
#[max_len(5000)]
pub description: String,
// ...
}

Risk

Likelihood:

Users can create campaigns with empty strings
Will occur naturally (lazy users, testing, mistakes)
Not malicious but degrades platform UX reliably

Impact:

Campaigns with no name/description can be created
Reduces platform usability and trust
Off-chain systems must handle empty string edge cases
No immediate security impact but degrades platform quality

Proof of Concept

N/A

Recommended Mitigation

FIX: Validate non-empty strings & FIX: Validate reasonable lengths

pub fn fund_create(

ctx: Context<FundCreate>,

name: String,

description: String,

goal: u64

) -> Result<()> {

// ✅ FIX: Validate non-empty strings

require!(!name.is_empty(), ErrorCode::NameEmpty);

require!(!description.is_empty(), ErrorCode::DescriptionEmpty);

// ✅ FIX: Validate reasonable lengths

require!(name.len() >= 3, ErrorCode::NameTooShort);

require!(name.len() <= 200, ErrorCode::NameTooLong);

require!(description.len() >= 10, ErrorCode::DescriptionTooShort);

require!(description.len() <= 5000, ErrorCode::DescriptionTooLong);

let fund = &mut ctx.accounts.fund;

fund.name = name;

fund.description = description;

fund.goal = goal;

// ... rest

}

#[error_code]

pub enum ErrorCode {

// ... existing codes ...

#[msg("Campaign name cannot be empty")]

NameEmpty,

#[msg("Campaign name must be at least 3 characters")]

NameTooShort,

#[msg("Campaign name exceeds 200 characters")]

NameTooLong,

#[msg("Description cannot be empty")]

DescriptionEmpty,

#[msg("Description must be at least 10 characters")]

DescriptionTooShort,

#[msg("Description exceeds 5000 characters")]

DescriptionTooLong,

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!