Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

003_CRITICAL_withdraw-ownership-bypass

rugslayer123

Description

The withdraw function lacks a critical validation check: it does not verify that the campaign has reached its funding goal (fund.amount_raised >= fund.goal). This omission allows a campaign creator to withdraw the collected funds at any time, even if the campaign is failing, blatantly violating the crowdfunding logic.

Risk

Severity: Critical
Likelihood: High
Impact: Critical

Impact Details:

Funds Theft: Creators can rug-pull backers by withdrawing funds immediately, bypassing the success condition.
Broken Contract: The core "all-or-nothing" promise of the crowdfunding platform is negated.

Proof of Concept

The following test scenario demonstrates a creator withdrawing funds from a campaign that has arguably failed (raised < goal).

#[tokio::test]

async fn test_premature_withdrawal() {

// ... Setup code (create fund with Goal = 1000) ...

// 1. Contribute 500 (Less than goal)

// [Call contribute instruction]

// 2. Creator attempts to withdraw

let transaction = Transaction::new_with_payer(

&[instruction::withdraw(

&program_id,

&creator.pubkey(), // Creator signs

)],

Some(&payer.pubkey()),

);

// 3. Assert Success (Should FAIL if secure)

let result = banks_client.process_transaction(transaction).await;

assert!(result.is_ok(), "Vulnerability confirmed: Creator withdrew funds despite missing goal.");

}

Recommended Mitigation Steps

Implement a check to ensure the goal is met before allowing withdrawal.

Detailed Changes

pub fn withdraw(ctx: Context<Withdraw>) -> Result<()> {

let fund = &mut ctx.accounts.fund;

let creator = &ctx.accounts.creator;

+ // Verify goal is reached

+ if fund.amount_raised < fund.goal {

+ return Err(ErrorCode::GoalNotReached.into());

+ }

let amount = fund.amount_raised;

fund.amount_raised = 0;

// Transfer logic...

Ok(())

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals

# H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals **Severity:** High\ **Category:** Fund Management / Economic Security Violation ## Description The `withdraw` function in the RustFund contract allows creators to prematurely withdraw funds without verifying if the campaign goal was successfully met. ## Vulnerability Details In the current RustFund implementation (`lib.rs`), the `withdraw` instruction lacks logic to verify that the campaign's `amount_raised` is equal to or greater than the `goal`. Consequently, creators can freely withdraw user-contributed funds even when fundraising objectives haven't been met, undermining the core economic guarantees of the platform. **Vulnerable Component:** - File: `lib.rs` - Function: `withdraw` - Struct: `Fund` ## Impact - Creators can prematurely drain user-contributed funds. - Contributors permanently lose the ability to receive refunds if the creator withdraws early. - Severely damages user trust and undermines the economic integrity of the RustFund platform. ## Proof of Concept (PoC) ```js // Create fund with 5 SOL goal await program.methods .fundCreate(FUND_NAME, "Test fund", new anchor.BN(5 * LAMPORTS_PER_SOL)) .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); // Contribute only 2 SOL (below goal) await program.methods .contribute(new anchor.BN(2 * LAMPORTS_PER_SOL)) .accounts({ fund, contributor: contributor.publicKey, contribution, systemProgram: SystemProgram.programId, }) .signers([contributor]) .rpc(); // Set deadline to past await program.methods .setDeadline(new anchor.BN(Math.floor(Date.now() / 1000) - 86400)) .accounts({ fund, creator: creator.publicKey }) .signers([creator]) .rpc(); // Attempt withdrawal (should fail but succeeds) await program.methods .withdraw() .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); /* OUTPUT: Fund goal: 5 SOL Contributed amount: 2 SOL Withdrawal succeeded despite not meeting goal Fund balance after withdrawal: 0.00089088 SOL (rent only) */ ``` ## Recommendations Add conditional logic to the `withdraw` function to ensure the campaign has reached its fundraising goal before allowing withdrawals: ```diff pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> { let fund = &mut ctx.accounts.fund; + require!(fund.amount_raised >= fund.goal, ErrorCode::GoalNotMet); let amount = fund.amount_raised; **ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.fund.to_account_info().lamports() .checked_sub(amount) .ok_or(ProgramError::InsufficientFunds)?; **ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.creator.to_account_info().lamports() .checked_add(amount) .ok_or(ErrorCode::CalculationOverflow)?; Ok(()) } ``` Also define the new error clearly: ```diff #[error_code] pub enum ErrorCode { // existing errors... + #[msg("Campaign goal not met")] + GoalNotMet, } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!