Rust Fund

AI First Flight #9

Beginner FriendlyRust

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

withdraw has no goal-reached or deadline check, letting the creator pull all contributions at any time — a rug-pull against contributors

sub99

`withdraw` has no goal or deadline gate, letting the creator rug-pull contributors at any time

Description

withdraw (lib.rs:90-105) pays the full amount_raised to the creator with no check that the funding goal was reached or that the deadline has passed; the FundWithdraw accounts struct only enforces has_one = creator (lib.rs:163). The creator can therefore withdraw the moment any contribution lands.

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {

let amount = ctx.accounts.fund.amount_raised;

// @> no check: fund.amount_raised >= fund.goal OR deadline passed

**ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? =

ctx.accounts.fund.to_account_info().lamports()

.checked_sub(amount)

.ok_or(ProgramError::InsufficientFunds)?;

// creator credited `amount` :98-101

Ok(())

}

Risk

Likelihood:

Low — requires the creator to act maliciously (or carelessly) against their own campaign. But it needs no special conditions and no other actor; the creator already holds the only required signature.

Impact:

High. Contributors fund a goal-/deadline-gated crowdfund expecting release only on success, but the creator can sweep all contributed lamports at will before the goal is met and before refunds would otherwise become available — a complete rug-pull of contributor funds with no recourse.

Proof of Concept

One contribution, immediate creator withdraw with goal unmet.

await program.methods.fundCreate("camp", "d", new BN(1_000_000_000)).accounts({...}).rpc();

await contribute(victim, 50_000_000); // far below goal, no deadline reached

await program.methods.withdraw().accounts({ fund, creator }).rpc();

// succeeds: creator receives the 50_000_000 victim lamports

Recommended Mitigation

Gate withdraw on the goal being met and/or the deadline having passed.

pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> {

let fund = &ctx.accounts.fund;

+ let now: u64 = Clock::get()?.unix_timestamp.try_into().unwrap();

+ require!(

+ fund.amount_raised >= fund.goal || (fund.deadline != 0 && fund.deadline <= now),

+ ErrorCode::UnauthorizedAccess

+ );

let amount = fund.amount_raised;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-02] H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals

# H-01. Creators Can Withdraw Funds Without Meeting Campaign Goals **Severity:** High\ **Category:** Fund Management / Economic Security Violation ## Description The `withdraw` function in the RustFund contract allows creators to prematurely withdraw funds without verifying if the campaign goal was successfully met. ## Vulnerability Details In the current RustFund implementation (`lib.rs`), the `withdraw` instruction lacks logic to verify that the campaign's `amount_raised` is equal to or greater than the `goal`. Consequently, creators can freely withdraw user-contributed funds even when fundraising objectives haven't been met, undermining the core economic guarantees of the platform. **Vulnerable Component:** - File: `lib.rs` - Function: `withdraw` - Struct: `Fund` ## Impact - Creators can prematurely drain user-contributed funds. - Contributors permanently lose the ability to receive refunds if the creator withdraws early. - Severely damages user trust and undermines the economic integrity of the RustFund platform. ## Proof of Concept (PoC) ```js // Create fund with 5 SOL goal await program.methods .fundCreate(FUND_NAME, "Test fund", new anchor.BN(5 * LAMPORTS_PER_SOL)) .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); // Contribute only 2 SOL (below goal) await program.methods .contribute(new anchor.BN(2 * LAMPORTS_PER_SOL)) .accounts({ fund, contributor: contributor.publicKey, contribution, systemProgram: SystemProgram.programId, }) .signers([contributor]) .rpc(); // Set deadline to past await program.methods .setDeadline(new anchor.BN(Math.floor(Date.now() / 1000) - 86400)) .accounts({ fund, creator: creator.publicKey }) .signers([creator]) .rpc(); // Attempt withdrawal (should fail but succeeds) await program.methods .withdraw() .accounts({ fund, creator: creator.publicKey, systemProgram: SystemProgram.programId, }) .signers([creator]) .rpc(); /* OUTPUT: Fund goal: 5 SOL Contributed amount: 2 SOL Withdrawal succeeded despite not meeting goal Fund balance after withdrawal: 0.00089088 SOL (rent only) */ ``` ## Recommendations Add conditional logic to the `withdraw` function to ensure the campaign has reached its fundraising goal before allowing withdrawals: ```diff pub fn withdraw(ctx: Context<FundWithdraw>) -> Result<()> { let fund = &mut ctx.accounts.fund; + require!(fund.amount_raised >= fund.goal, ErrorCode::GoalNotMet); let amount = fund.amount_raised; **ctx.accounts.fund.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.fund.to_account_info().lamports() .checked_sub(amount) .ok_or(ProgramError::InsufficientFunds)?; **ctx.accounts.creator.to_account_info().try_borrow_mut_lamports()? = ctx.accounts.creator.to_account_info().lamports() .checked_add(amount) .ok_or(ErrorCode::CalculationOverflow)?; Ok(()) } ``` Also define the new error clearly: ```diff #[error_code] pub enum ErrorCode { // existing errors... + #[msg("Campaign goal not met")] + GoalNotMet, } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!