Missing goal and deadline checks in `withdraw()` allows creator to drain all contributor funds at any time
Root + Impact
Description
-
The
withdrawinstruction is intended to transfer campaign proceeds to the creator only after the fundraising goal has been met and the campaign deadline has passed. -
withdrawperforms no business logic validation before transferring the fullfund.amount_raisedto the creator. The only protection is thehas_one = creatoraccount constraint, which only verifies the caller is the creator — not that withdrawal is actually permitted at this time. A creator can drain all contributed SOL immediately after the first contribution arrives, before the deadline and before the goal is met.
Risk
Likelihood:
-
Any creator can call
withdrawthe moment a single lamport enters the fund PDA — no precondition prevents it. -
A creator advertising a campaign with "full refund if goal not met" is under no on-chain constraint, making rug-pulls a trivially executable strategy.
Impact:
-
The creator drains all contributed SOL at any time regardless of whether the goal was met or the deadline has passed.
-
Contributors have no protection whatsoever; the "refund if goal not met" guarantee is entirely unenforceable on-chain.
Proof of Concept
Static analysis is sufficient for this finding. The withdraw instruction handler contains no check against fund.goal or fund.deadline before transferring lamports to the creator. This is verifiable by grep:
Expected output shows goal and deadline set during fund creation and read nowhere in the withdraw handler — confirming the missing guards.
Recommended Mitigation
Add goal and deadline precondition checks to withdraw() so funds can only be claimed by the creator once the campaign goal is reached and the deadline has passed.
Lead Judging Commences
[H-02] H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals
# H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals **Severity:** High\ **Category:** Fund Management / Economic Security Violation ## Description The `withdraw` function in the RustFund contract allows creators to prematurely withdraw funds without verifying if the campaign goal was successfully met. ## Vulnerability Details In the current RustFund implementation (`lib.rs`), the `withdraw` instruction lacks logic to verify that the campaign's `amount_raised` is equal to or greater than the `goal`. Consequently, creators can freely withdraw user-contributed funds even when fundraising objectives haven't been met, undermining the core economic guarantees of the platform. **Vulnerable Component:** - File: `lib.rs` - Function: `withdraw` - Struct: `Fund` ## Impact - Creators can prematurely drain user-contributed funds. - Contributors permanently lose the ability to receive refunds if the creator withdraws early. - Severely damages user trust and undermines the economic integrity of the RustFund platform. ## Proof of Concept (PoC) ```js // Create fund with 5 SOL goal await program.methods .fundCreate(FUND_NAME, "Test fund", new anchor.BN(5 * LAMPORTS_PER_SOL)) .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); // Contribute only 2 SOL (below goal) await program.methods .contribute(new anchor.BN(2 * LAMPORTS_PER_SOL)) .accounts({ fund, contributor: contributor.publicKey, contribution, systemProgram: SystemProgram.programId, }) .signers([contributor]) .rpc(); // Set deadline to past await program.methods .setDeadline(new anchor.BN(Math.floor(Date.now() / 1000) - 86400)) .accounts({ fund, creator: creator.publicKey }) .signers([creator]) .rpc(); // Attempt withdrawal (should fail but succeeds) await program.methods .withdraw() .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); /* OUTPUT: Fund goal: 5 SOL Contributed amount: 2 SOL Withdrawal succeeded despite not meeting goal Fund balance after withdrawal: 0.00089088 SOL (rent only) */ ``` ## Recommendations Add conditional logic to the `withdraw` function to ensure the campaign has reached its fundraising goal before allowing withdrawals: ```diff pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> { let fund = &mut ctx.accounts.fund; + require!(fund.amount_raised >= fund.goal, ErrorCode::GoalNotMet); let amount = fund.amount_raised; **ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.fund.to_account_info().lamports() .checked_sub(amount) .ok_or(ProgramError::InsufficientFunds)?; **ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.creator.to_account_info().lamports() .checked_add(amount) .ok_or(ErrorCode::CalculationOverflow)?; Ok(()) } ``` Also define the new error clearly: ```diff #[error_code] pub enum ErrorCode { // existing errors... + #[msg("Campaign goal not met")] + GoalNotMet, } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.