Submission Details
Impact:
Likelihood:
[L-02] `set_deadline()` accepts past timestamps, immediately enabling refunds
Description
set_deadline() does not validate that the deadline is in the future. A creator can set deadline = 1 (January 1, 1970), which immediately satisfies the refund deadline condition. In a fixed protocol (where H-01 is patched), this would immediately allow all contributors to refund, breaking the campaign.
Vulnerability Details
// lib.rs:55-63
pub fn set_deadline(ctx: Context<FundSetDeadline>, deadline: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
if fund.dealine_set {
return Err(ErrorCode::DeadlineAlreadySet.into());
}
fund.deadline = deadline; // @> no check that deadline > now
Ok(())
}
Proof of Concept
// 1. Creator calls fund_create("Test", "desc", goal=100 SOL)
// fund.deadline = 0
// 2. Creator calls set_deadline(1)
// fund.deadline = 1 (January 1, 1970 00:00:01 UTC)
// No validation that deadline > Clock::get().unix_timestamp
// 3. Current time is ~1,740,000,000 (Feb 2025)
// fund.deadline (1) < now (1,740,000,000)
// 4. refund() deadline check:
// fund.deadline != 0 => true
// fund.deadline > now => 1 > 1,740,000,000 => false
// Guard does NOT revert, refund proceeds immediately
// Result: deadline is set but already expired, contributors can refund right away
Recommendations
+ let now: u64 = Clock::get()?.unix_timestamp.try_into().unwrap();
+ require!(deadline > now, ErrorCode::DeadlineMustBeFuture);
fund.deadline = deadline;
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.