contribute uses an unchecked fund.amount_raised += amount, which can overflow u64 (unlike the checked math used in refund/withdraw)
contribute uses unchecked += on amount_raised, risking silent overflow
Description
contribute (lib.rs:50) accumulates with the plain += operator instead of the checked arithmetic used everywhere else in the program (checked_sub in refund/withdraw, checked_add for lamport credits). If overflow checks are disabled in a release build, fund.amount_raised += amount wraps silently.
Risk
Likelihood:
Low in practice — reaching u64::MAX lamports requires enormous or many contributions — but it is conditioned on the build's overflow-checks setting, which defaults to off in release. Inconsistent arithmetic style across the program makes the unchecked path easy to overlook.
Impact:
A wraparound corrupts amount_raised, the same value that drives goal evaluation and is paid out by withdraw (lib.rs:91). A wrapped-small amount_raised could make withdraw underpay, or interact with the withdraw checked_sub math, while a contributor's transferred lamports are already in the fund — breaking accounting integrity. Even where economically improbable, it is a latent correctness defect that should match the program's own checked-math convention.
Proof of Concept
Conceptually, drive amount_raised near u64::MAX (or build with overflow-checks = false) and contribute past the boundary.
Recommended Mitigation
Use checked_add and surface the existing overflow error, matching the rest of the program.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.