Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

withdraw() has no goal check — creator can drain funds even when campaign falls short of target

virgilbb

Root + Impact

Description

withdraw() transfers fund.amount_raised to the creator without checking that the fundraising goal was met. A creator can drain all contributions the moment any SOL arrives, regardless of whether the campaign reached its stated target.

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {

let amount = ctx.accounts.fund.amount_raised;

// No: require!(fund.amount_raised >= fund.goal, ErrorCode::GoalNotMet)

// ...transfer logic...

}

Risk

Likelihood: Any campaign creator can exploit this unconditionally — no special setup required beyond having at least one contributor.

Impact: Contributors lose their SOL permanently. The core crowdfunding guarantee — "funds are only released when the goal is met" — is entirely unenforced on-chain.

Proof of Concept

withdraw() reads amount_raised and transfers immediately — fund.goal is declared but never read inside the function:

grep -n "pub fn withdraw\|goal\|amount_raised" programs/rustfund/src/lib.rs

16: fund.goal = goal;

19: fund.amount_raised = 0;

50: fund.amount_raised += amount;

90: pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {

91: let amount = ctx.accounts.fund.amount_raised;

186: pub goal: u64,

189: pub amount_raised: u64,

withdraw() at line 90 reads amount_raised (line 91) and transfers it with no comparison to fund.goal. A creator with 2 SOL raised against a 5 SOL goal can call withdraw() immediately and drain all contributions.

Recommended Mitigation

Add a goal check at the top of withdraw() before any transfer. This enforces the crowdfunding invariant on-chain:

+ require!(

+ ctx.accounts.fund.amount_raised >= ctx.accounts.fund.goal,

+ ErrorCode::GoalNotMet

+ );

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 18 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals

# H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals **Severity:** High\ **Category:** Fund Management / Economic Security Violation ## Description The `withdraw` function in the RustFund contract allows creators to prematurely withdraw funds without verifying if the campaign goal was successfully met. ## Vulnerability Details In the current RustFund implementation (`lib.rs`), the `withdraw` instruction lacks logic to verify that the campaign's `amount_raised` is equal to or greater than the `goal`. Consequently, creators can freely withdraw user-contributed funds even when fundraising objectives haven't been met, undermining the core economic guarantees of the platform. **Vulnerable Component:** - File: `lib.rs` - Function: `withdraw` - Struct: `Fund` ## Impact - Creators can prematurely drain user-contributed funds. - Contributors permanently lose the ability to receive refunds if the creator withdraws early. - Severely damages user trust and undermines the economic integrity of the RustFund platform. ## Proof of Concept (PoC) ```js // Create fund with 5 SOL goal await program.methods .fundCreate(FUND_NAME, "Test fund", new anchor.BN(5 * LAMPORTS_PER_SOL)) .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); // Contribute only 2 SOL (below goal) await program.methods .contribute(new anchor.BN(2 * LAMPORTS_PER_SOL)) .accounts({ fund, contributor: contributor.publicKey, contribution, systemProgram: SystemProgram.programId, }) .signers([contributor]) .rpc(); // Set deadline to past await program.methods .setDeadline(new anchor.BN(Math.floor(Date.now() / 1000) - 86400)) .accounts({ fund, creator: creator.publicKey }) .signers([creator]) .rpc(); // Attempt withdrawal (should fail but succeeds) await program.methods .withdraw() .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); /* OUTPUT: Fund goal: 5 SOL Contributed amount: 2 SOL Withdrawal succeeded despite not meeting goal Fund balance after withdrawal: 0.00089088 SOL (rent only) */ ``` ## Recommendations Add conditional logic to the `withdraw` function to ensure the campaign has reached its fundraising goal before allowing withdrawals: ```diff pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> { let fund = &mut ctx.accounts.fund; + require!(fund.amount_raised >= fund.goal, ErrorCode::GoalNotMet); let amount = fund.amount_raised; **ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.fund.to_account_info().lamports() .checked_sub(amount) .ok_or(ProgramError::InsufficientFunds)?; **ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.creator.to_account_info().lamports() .checked_add(amount) .ok_or(ErrorCode::CalculationOverflow)?; Ok(()) } ``` Also define the new error clearly: ```diff #[error_code] pub enum ErrorCode { // existing errors... + #[msg("Campaign goal not met")] + GoalNotMet, } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!