Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

[L-02] set_deadline() Accepts Past Timestamps

kivanov

[L-02] set_deadline() Accepts Past Timestamps

Description

The set_deadline() function accepts any u64 value as the deadline parameter. It is expected that only future timestamps are valid deadlines.
No validation ensures the deadline is in the future. A creator could accidentally or maliciously set a deadline in the past, immediately making the fund appear expired.

@> fund.deadline = deadline; // No validation that deadline > now

Risk

Likelihood: Low

Requires creator error or malicious intent.

Impact: Low

An already-expired deadline immediately enables refunds and blocks further contributions.

Severity: Low

Proof of Concept

A creator sets the deadline to a Unix timestamp of 1 (January 1, 1970). The fund is immediately considered expired — contributions are blocked and refunds are enabled.

it("Proves past deadline is accepted", async () => {

await program.methods.fundCreate("poc-l002", "test", goal).rpc();

// Set deadline to Unix timestamp 1 (1970-01-01) — already expired

await program.methods.setDeadline(new anchor.BN(1)).rpc(); // <-- SHOULD REVERT

let fund = await program.account.fund.fetch(fundPDA);

expect(fund.deadline.toNumber()).to.equal(1); // Accepted without validation

// Now try to contribute — blocked because deadline < now

try {

await program.methods.contribute(new anchor.BN(1 * LAMPORTS_PER_SOL)).rpc();

expect.fail("Should have reverted — deadline already passed");

} catch (e) {

expect(e.error.errorCode.code).to.equal("DeadlineReached");

}

// Fund is DOA — created with an expired deadline, can never receive contributions

});

## Recommended Mitigation

Validate that the deadline timestamp is in the future before writing it to state. This prevents creators from accidentally or maliciously creating dead-on-arrival funds that can never receive contributions. The restored invariant is: a campaign's deadline always represents a future point in time when the campaign will close.

```diff

+ require!(

+ deadline > Clock::get()?.unix_timestamp as u64,

+ ErrorCode::DeadlineInPast

+ );

fund.deadline = deadline;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 3 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!