Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Refund Allowed When Campaign Goal Is Successfully Met

vikramgoutham289

Root + Impact:

Root Cause: The refund function only validates deadline but does not check whether the campaign failed to meet its goal.

Impact: Contributors can drain funds from successful campaigns that exceeded their funding target, causing creators to lose legitimately raised funds.

Description

Normal behavior: Refunds should only be available when a campaign FAILS - meaning the deadline passed AND the goal was NOT reached. Successful campaigns should allow creator withdrawal, not contributor refunds.

Issue: The refund function only checks if the deadline has passed but never verifies that amount_raised < goal. Contributors can refund from successful campaigns.

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {

let amount = ctx.accounts.contribution.amount;

// @> Only checks deadline has passed

if ctx.accounts.fund.deadline != 0 &&

ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() {

return Err(ErrorCode::DeadlineNotReached.into());

}

// @> Root cause: Missing check for fund.amount_raised < fund.goal

// @> Refunds proceed even when campaign succeeded

**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =

ctx.accounts.fund.to_account_info().lamports()

.checked_sub(amount)

.ok_or(ProgramError::InsufficientFunds)?;

// ...

}

Risk

Likelihood:HIGH

Reason 1 :Any contributor can call refund after deadline passes, regardless of whether campaign succeeded or failed
Reason 2:

No mechanism distinguishes between successful and failed campaigns in refund logic

Impact:HIGH

Impact 1:Creators lose legitimately raised funds when contributors refund from successful campaigns
Impact 2:Platform's crowdfunding model is fundamentally broken; goal-based funding becomes meaningless

Proof of Concept

// 1. Campaign with 10 SOL goal raises 15 SOL - SUCCESS

fund.goal = 10_000_000_000;

fund.amount_raised = 15_000_000_000; // Exceeded goal!

fund.deadline = past_timestamp;

// 2. Contributor calls refund after deadline

refund(ctx)?; // Succeeds! No goal check

// 3. Contributor drains funds from successful campaign

// Creator cannot withdraw their legitimately raised funds

A campaign successfully raised 15 SOL against a 10 SOL goal. After the deadline passes, contributors should NOT be able to refund since the campaign succeeded. However, the refund function only checks deadline, not goal status. Contributors can drain successful campaigns, stealing funds that rightfully belong to the creator.

Recommended Mitigation

pub fn refund(ctx: Context<FundRefund>) -> Result<()> {

let fund = &ctx.accounts.fund;

let clock = Clock::get()?;

let amount = ctx.accounts.contribution.amount;

+ require!(amount > 0, ErrorCode::NoContribution);

+ require!(

+ fund.deadline != 0 && clock.unix_timestamp as u64 >= fund.deadline,

+ ErrorCode::DeadlineNotReached

+ );

+ // Only allow refunds if campaign FAILED (goal not met)

+ require!(fund.amount_raised < fund.goal, ErrorCode::GoalReached);

ctx.accounts.contribution.amount = 0;

// ... transfer logic

}

Add a check ensuring amount_raised < goal before allowing refunds. This enforces crowdfunding rules: refunds only available for FAILED campaigns. If the goal was met, contributors cannot refund and must let the creator withdraw the successfully raised funds.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 9 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-04] Inadequate Refund Conditions

## Description the refund mechanism only verifies that the current time has passed the campaign deadline, without checking whether the campaign has failed to meet its funding goal.This oversight may result in refunds being issued even if the campaign was, in principle, successful, potentially undermining the trust and financial integrity of the platform.   ## Vulnerability Details The refund function in the contract is designed to return funds to contributors if a campaign fails. However, it only checks whether the campaign deadline has been reached (or passed) before allowing a refund, without verifying if the campaign's funding goal was met. In other words, the function solely relies on a time-based condition and does not incorporate the additional logic required to determine if a campaign has been unsuccessful. **Code Analysis:**\ The refund function contains the following check: ```Rust if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() { return Err(ErrorCode::DeadlineNotReached.into()); } ``` This condition ensures that refunds are only triggered after the deadline has passed. However, there is no subsequent verification that compares `fund.amount_raised` to the `fund.goal` to determine whether the campaign failed to meet its funding target. As a result, even if the campaign has met or exceeded its goal, contributors could potentially request refunds simply because the deadline has passed. ## proof Of Concept ```typescript it("Allows refund on a successful campaign due to missing goal check", async () => { // Define campaign parameters with a near-future deadline (5 seconds from now) const fundName = "refund flaw"; const description = "Test for refund vulnerability on a successful campaign"; const goal = new anchor.BN(1000000000); // 1 SOL goal // Set deadline to 5 seconds from now const deadline = new anchor.BN(Math.floor(Date.now() / 1000) + 5); // Generate PDA for the fund using the campaign name and creator's public key let [fundPDA, fundBump] = await PublicKey.findProgramAddress( [Buffer.from(fundName), creator.publicKey.toBuffer()], program.programId ); // Create the fund campaign await program.methods .fundCreate(fundName, description, goal) .accounts({ fund: fundPDA, creator: creator.publicKey, systemProgram: anchor.web3.SystemProgram.programId, }) .rpc(); // Set the campaign deadline await program.methods .setDeadline(deadline) .accounts({ fund: fundPDA, creator: creator.publicKey, }) .rpc(); // Airdrop lamports to otherUser so they can contribute const airdropSig = await provider.connection.requestAirdrop( otherUser.publicKey, 2 * anchor.web3.LAMPORTS_PER_SOL // e.g., 2 SOL ); await provider.connection.confirmTransaction(airdropSig); // Generate PDA for the contribution account using fund's PDA and otherUser's public key let [contributionPDA, contributionBump] = await PublicKey.findProgramAddress( [fundPDA.toBuffer(), otherUser.publicKey.toBuffer()], program.programId ); // otherUser contributes 1 SOL, meeting the campaign goal const contributionAmount = new anchor.BN(1000000000); // 1 SOL await program.methods .contribute(contributionAmount) .accounts({ fund: fundPDA, contributor: otherUser.publicKey, contribution: contributionPDA, systemProgram: anchor.web3.SystemProgram.programId, }) .signers([otherUser]) .rpc(); // Verify the campaign is successful by checking that amountRaised >= goal let fundBeforeDeadline = await program.account.fund.fetch(fundPDA); expect(fundBeforeDeadline.amountRaised.gte(goal)).to.be.true; // Wait until after the deadline has passed await new Promise((resolve) => setTimeout(resolve, 6000)); // otherUser calls refund despite the campaign being successful // (a correct implementation should disallow this refund) let refundTxSucceeded = true; try { await program.methods .refund() .accounts({ fund: fundPDA, contribution: contributionPDA, contributor: otherUser.publicKey, systemProgram: anchor.web3.SystemProgram.programId, }) .signers([otherUser]) .rpc(); } catch (err) { refundTxSucceeded = false; } // The vulnerability: refund call is erroneously allowed even though the campaign met its goal. expect(refundTxSucceeded).to.be.true; // check the contributor's balance change to further demonstrate the refund was processed. const balanceAfterRefund = await provider.connection.getBalance( otherUser.publicKey ); console.log("Contributor balance after refund:", balanceAfterRefund); }); ``` ## Impact - **Financial Discrepancies:**\ The improper refund mechanism result in successful campaigns losing funds that were meant to be retained by the campaign creator, leading to financial imbalances within the contract. - **Erosion of Trust:**\ Contributors and creators rely on the refund logic to be fair and accurate. The absence of a funding goal check in the refund function erode trust in the platform, as users could experience unexpected fund reversals or disputes over campaign success. - **Operational Risks:**\ Campaigns that meet their funding goals still be subject to refund requests, creating operational inefficiencies and potential disputes between creators and contributors. This undermines the intended crowdfunding model and could deter future participation.   ## Recommendations Update the refund function to include a check that verifies whether the campaign's funding goal has been met. Refunds should only be processed if both the deadline has passed and the `amount_raised` is below the `goal`.    ```Solidity if ctx.accounts.fund.deadline != 0 && ctx.accounts.fund.deadline > Clock::get().unwrap().unix_timestamp.try_into().unwrap() { return Err(ErrorCode::DeadlineNotReached.into()); } if ctx.accounts.fund.amount_raised >= ctx.accounts.fund.goal { return Err(ErrorCode::CampaignSuccessful.into()); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!