The Claimed event is intended to log the address that received the reward, but claim() emits msg.sender instead of recipient.
As a result, off-chain indexers, UIs, and monitoring tools will record the wrong payout recipient.
Likelihood:
This occurs on every successful claim where msg.sender differs from recipient
The contract explicitly requires recipient != msg.sender, so the emitted recipient is always wrong for valid claims.
Impact:
The actual ETH transfer still goes to the correct recipient, so funds are not directly lost because of this bug.
However, event consumers will see incorrect claim data, which can break frontends, analytics, accounting, and dispute resolution.
The PoC performs a valid claim from caller while sending the reward to a separate recipient. The transaction succeeds and ETH is transferred to recipient, but the emitted Claimed event records caller as the recipient.
Emit the actual reward recipient instead of msg.sender.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.