Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

No Deadline Validation in SetDeadline Function

muzammilmohammed678

Root + Impact

Description

Describe the normal behavior in one or more sentences
The `set_deadline` function accepts any `u64` value as a deadline without validating that it represents a future timestamp. This allows creators to set deadlines in the past, which would immediately make the fund inactive and prevent contributions.
Explain the specific issue or problem in one or more sentences
The normal behavior should ensure that deadlines are set to future timestamps, preventing creators from accidentally or maliciously setting invalid deadlines. The current implementation accepts any value.

```rust:55-63:programs/rustfund/src/lib.rs

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

fund.deadline = deadline;

Ok(())

}

```

No validation checks if `deadline > current_timestamp`, allowing past timestamps to be set.

Risk

Likelihood:

* This occurs when creator accidentally sets a past timestamp

* This occurs when creator maliciously sets deadline to prevent contributions

* Happens when timestamp conversion errors occur

Impact:

* Fund becomes immediately inactive if past deadline is set

* Contributors cannot contribute to funds with past deadlines

* Creator may need to create a new fund if deadline is set incorrectly

* Potential DoS if deadline is set maliciously

Proof of Concept

1. Creator creates fund

2. Creator calls `set_deadline(1000)` (timestamp from year 1970)

3. Deadline is set to past

4. Any contribution attempt fails with `DeadlineReached` error

5. Fund is effectively unusable

Recommended Mitigation

```diff

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

+ // Validate deadline is in the future

+ let current_timestamp: u64 = Clock::get()?.unix_timestamp.try_into()

+ .map_err(|_| ErrorCode::InvalidTimestamp)?;

+ if deadline <= current_timestamp {

+ return Err(ErrorCode::InvalidDeadline.into());

+ }

fund.deadline = deadline;

+ fund.dealine_set = true;

Ok(())

}

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!