Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Deadline Can Be Set To Past Timestamp

vikramgoutham289

Root + Impact:

Root Cause: The set_deadline function accepts any u64 value without validating that it represents a future timestamp.

Impact: Creators can set deadlines to past timestamps, immediately bypassing all deadline-based protections and enabling instant fund manipulation.

Description

Normal behavior: Campaign deadlines must be set in the future to give contributors adequate time to participate and evaluate campaigns before completion.

Issue: No validation exists to ensure the deadline timestamp is greater than the current time. Creators can set deadline = 1 (year 1970) or any past value.

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

// @> Root cause: No validation that deadline > current timestamp

// @> Creator can set deadline = 0, 1, or any past value

fund.deadline = deadline;

Ok(())

}

Risk

Likelihood:MEDIUM

Reason 1 :Requires malicious intent from campaign creator to exploit
Reason 2:Simple to execute by passing any past timestamp as the deadline parameter

Impact:MEDIUM

Impact 1:All deadline-based checks become immediately satisfied, bypassing time-based protections
Impact 2:Combined with other vulnerabilities, enables instant unauthorized fund extraction

Proof of Concept

// 1. Creator creates campaign

fund_create(ctx, "Scam Campaign", "...", 10_000_000_000)?;

// 2. Creator sets deadline to Unix timestamp 1 (January 1, 1970)

set_deadline(ctx, 1)?; // Succeeds! No validation

// 3. Deadline has "already passed" - all time-based checks bypassed

// Current time (2024) > 1 (1970), so deadline conditions satisfied

// 4. Creator can immediately exploit any deadline-dependent logic

The creator sets the deadline to Unix timestamp 1 (January 1, 1970). Since current time is always greater than 1970, the campaign is immediately "past deadline." This bypasses all time-based protections instantly, allowing immediate exploitation of deadline-dependent functions without waiting.

Recommended Mitigation

pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {

let fund = &mut ctx.accounts.fund;

+ let clock = Clock::get()?;

if fund.dealine_set {

return Err(ErrorCode::DeadlineAlreadySet.into());

}

+ // Ensure deadline is in the future

+ require!(

+ deadline > clock.unix_timestamp as u64,

+ ErrorCode::DeadlineInPast

+ );

fund.deadline = deadline;

+ fund.dealine_set = true;

Ok(())

}

Validate that the provided deadline is greater than the current blockchain timestamp using Clock::get(). This ensures deadlines are always in the future, giving contributors adequate time to participate. Reject any past timestamps with a DeadlineInPast error.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 9 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!