The RustFund crowdfunding model is designed so that the creator can only withdraw contributed SOL after the campaign succeeds — meaning the funding goal has been reached and the deadline has passed. This is the fundamental trust guarantee that protects contributors.
The withdraw() function allows the creator to transfer fund.amount_raised lamports to their own wallet without any validation whatsoever. There is no check that the funding goal was met, no check that the deadline has passed, and no check on campaign status. The creator can drain all contributed funds immediately.
Likelihood: High
The creator is the sole authorized caller of withdraw() (enforced by has_one = creator). No on-chain validation occurs on goal achievement or deadline status — the function body is a straight transfer with zero guards.
Combined with H-01 (refunds always return 0), the creator faces zero consequences — contributors have no recourse and no recovery mechanism.
Impact: High
All contributed SOL is transferred to the creator in a single transaction. This is a direct rug-pull vector enabling complete theft of contributor funds.
The platform's core crowdfunding invariant is violated: contributors who deposited SOL trusting the refund mechanism lose 100% of their funds with no on-chain path to recovery.
Severity: High
A creator creates a fund with a 100 SOL goal and a deadline 1 year away. A contributor deposits 5 SOL — only 5% of the goal. The creator immediately calls withdraw() and receives all 5 SOL.
Add goal achievement and deadline passage checks before allowing withdrawal.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.