Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

005_MEDIUM_deadline-set-no-validation

rugslayer123

Description

The set_deadline function allows the campaign deadline to be set to a timestamp in the past. This effectively locks the campaign immediately or breaks logic that assumes the deadline is a future event. There is no validation to ensure deadline > Clock::get()?.unix_timestamp.

Risk

Severity: Medium
Likelihood: High (User Error or Malicious)
Impact: Medium

Impact Details:

DoS via Malconfiguration: A campaign can be essentially bricked upon creation or update.
Refund Lockout: If refunds require now > deadline, they become active immediately, defeating the purpose of a holding period.

Proof of Concept

Test demonstrating setting a past deadline.

#[tokio::test]

async fn test_set_past_deadline() {

// ... Setup ...

// 1. Call set_deadline with a past timestamp

let past_time = 1_000_000; // Year 1970ish

let transaction = Transaction::new_with_payer(

&[instruction::set_deadline(

&program_id,

past_time,

&campaign_pubkey,

&payer.pubkey(), // Creator

)],

Some(&payer.pubkey()),

);

// 2. Assert Success (Should FAIL)

let result = banks_client.process_transaction(transaction).await;

assert!(result.is_ok(), "Allowed setting a deadline in the past.");

}

Recommended Mitigation Steps

Validate that the new deadline is in the future.

Detailed Changes

pub fn set_deadline(ctx: Context<SetDeadline>, deadline: i64) -> Result<()> {

let campaign = &mut ctx.accounts.campaign;

+ // Validation

+ let current_timestamp = Clock::get()?.unix_timestamp;

+ require!(deadline > current_timestamp, CampaignError::InvalidDeadline);

campaign.deadline = deadline; // No validation here

Ok(())

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!