Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

Unchecked arithmetic on fund.amount_raised — silent overflow in release builds

cybervikink

Root + Impact

The += operator on u64 wraps silently in Rust release builds when overflow-checks is not enabled in Cargo.toml.

Description

In contribute(), the line fund.amount_raised += amount uses unchecked addition. In a Solana program compiled without overflow-checks = true in the release profile (the Anchor default does not set this), arithmetic overflow wraps silently. An attacker contributing exactly u64::MAX - current_amount_raised + 1 lamports causes amount_raised to wrap to 0 or a tiny value, making a fully-funded campaign appear empty and enabling refunds that should be blocked.

pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {

// ...

system_program::transfer(cpi_context, amount)?;

@> fund.amount_raised += amount; // unchecked — wraps silently in --release

Ok(())

}

Risk

Likelihood:

Reaching u64::MAX lamports (~18.4 billion SOL) through natural contributions is economically impossible under the current SOL supply
A targeted attacker with sufficient SOL (or one exploiting another vulnerability to manipulate the counter) could deliberately craft the wrap

Impact:

amount_raised wrapping to 0 makes a fully-funded campaign appear empty, denying the creator a legitimate withdrawal
Contributors on a successfully-funded campaign could incorrectly claim refunds if goal checks compare against the wrapped value
Inconsistency between the true lamport balance and amount_raised disrupts all program logic depending on this counter

Proof of Concept

#[test]

fn test_amount_raised_overflow() {

let mut amount_raised: u64 = u64::MAX - 999;

let amount: u64 = 1000;

// In debug this panics; in release it wraps silently

@> amount_raised += amount; // wraps to 0 in --release without overflow-checks

assert_eq!(amount_raised, 0); // passes — confirms silent wrap

}

Recommended Mitigation

- fund.amount_raised += amount;

+ fund.amount_raised = fund.amount_raised

+ .checked_add(amount)

+ .ok_or(ErrorCode::CalculationOverflow)?;

// In Cargo.toml:

+ [profile.release]

+ overflow-checks = true

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!