Rust Fund

Description

The withdraw function (lines 90-105) allows the campaign creator to withdraw all raised funds at any time. There are no checks for:

1. Whether the deadline has passed

2. Whether the funding goal was reached

The only validation is that the caller is the creator (has_one = creator on line 163).

Risk

A malicious creator can:

1. Create a campaign with an attractive goal and description

2. Wait for contributions to accumulate

3. Call withdraw immediately, taking all funds before the deadline

4. Contributors have no protection and lose their SOL

This completely undermines the trustless crowdfunding model. The "deadline" and "goal" features are meaningless if the creator can withdraw at any time.

Proof of Concept

1. Creator creates a fund with goal = 100 SOL, deadline = 30 days from now

2. Contributors contribute 50 SOL total over 5 days

3. Creator calls withdraw on day 6 — succeeds with no checks

4. Creator receives 50 SOL

5. Contributors cannot get refunds (even if the contribute bug were fixed, the funds are already gone)

Mitigation

Add deadline and goal checks to withdraw:

pub fn withdraw(ctx: Context) -> Result<()> {
let fund = &ctx.accounts.fund;

// Require deadline to have passed
require!(fund.deadline != 0 && fund.deadline = fund.goal, ErrorCode::GoalNotReached);

let amount = fund.amount_raised;
// ... rest of withdrawal logic

}