FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: high
Likelihood: medium

Permissionless bonus sweep during the re-flag window strips the good-faith attacker’s bounty

Author Revealed upon completion

Root + Impact

Description

A moderator may re-flag an outcome before the first claim so that an incorrect outcome or attacker address can be corrected.

Until that correction window closes, no protocol-accounted funds should move irreversibly under the initial outcome. Otherwise, the corrected outcome may be calculated using an already-depleted pool.

For a good-faith CORRUPTED outcome, the named whitehat is intended to receive the complete snapshot of staked principal and bonus:

snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
bountyEntitlement =
willBeGoodFaithCorrupted
? snapshotTotalStaked + snapshotTotalBonus
: 0;

However, sweepUnclaimedBonus() can transfer the complete accounted bonus to recoveryAddress while the outcome is still re-flaggable.

When riskWindowStart == 0, the bonus is not reserved for stakers under a SURVIVED outcome:

uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
// @> The snapshotted bonus is not reserved when no risk window was observed.
if (riskWindowStart != 0) {
reserved += snapshotTotalBonus - claimedBonus;
}
}
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;

The function then removes the swept amount from the live totalBonus accounting:

if (totalEligibleStake == 0 || riskWindowStart == 0) {
// @> The bonus is permanently removed from the value used by a later re-flag.
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}

Crucially, the sweep intentionally does not set claimsStarted:

// @> The outcome remains re-flaggable even though accounted value has moved.
stakeToken.safeTransfer(recoveryAddress, amount);

This creates the following attack path:

  1. The registry is CORRUPTED, but no active-risk state was observed, so riskWindowStart == 0.

  2. The moderator initially flags SURVIVED, for example because the breach was mistakenly classified as out of scope.

  3. Before the moderator corrects the outcome, anyone calls sweepUnclaimedBonus().

  4. The complete bonus is sent to the sponsor-controlled recoveryAddress, and totalBonus becomes zero.

  5. Since claimsStarted remains false, the moderator can still correct the outcome to good-faith CORRUPTED.

  6. The corrected bounty snapshot uses the now-zero totalBonus.

  7. The whitehat receives only staked principal instead of principal plus the original bonus.

The re-flagging mechanism exists specifically to correct an incorrect initial decision before value movement. sweepUnclaimedBonus() violates that invariant by moving protocol-accounted bonus without closing or preserving the correction window.

This does not challenge the intended ability to sweep direct-transfer donations. The issue is that the same function also transfers the tracked snapshotTotalBonus while the outcome remains mutable. :contentReference[oaicite:0]{index=0}

Risk

A permissionless caller can permanently redirect up to 100% of the bonus pool away from the named good-faith attacker.

The funds are sent to recoveryAddress, which is controlled by the pool sponsor. A malicious sponsor can therefore monitor an erroneous SURVIVED flag and execute the sweep before the moderator submits the corrective good-faith CORRUPTED transaction.

The correction still succeeds, but it snapshots a depleted bonus balance and cannot restore the tokens already transferred.

Consequences include:

  • the whitehat loses the complete bonus portion of their bounty;

  • the sponsor-controlled recovery address receives funds it is not entitled to under the corrected outcome;

  • the moderator's documented correction mechanism cannot restore the intended distribution;

  • the attack is permissionless and can be executed before or front-run against the corrective transaction.

The maximum loss equals the full bonus balance.

Proof of Concept

Add the following test to a contract inheriting BaseConfidencePoolTest:

function test_SweepDuringReflagWindowStripsGoodFaithBonus() external {
uint256 principal = 100 * ONE;
uint256 bonus = 50 * ONE;
_stake(alice, principal);
_contributeBonus(carol, bonus);
// Registry becomes CORRUPTED without the pool observing an active-risk state.
// The moderator may still flag CORRUPTED under the documented no-risk-window
// principal-resolution behavior.
attackRegistry.setAgreementState(
IAttackRegistry.ContractState.CORRUPTED
);
assertEq(pool.riskWindowStart(), 0);
// The moderator initially misclassifies the corruption as out of scope.
vm.prank(moderator);
pool.flagOutcome(
PoolStates.Outcome.SURVIVED,
false,
address(0)
);
assertEq(pool.snapshotTotalBonus(), bonus);
assertFalse(pool.claimsStarted());
uint256 recoveryBefore = token.balanceOf(recovery);
// Anyone can move the complete tracked bonus to recovery while the
// moderator's correction window remains open.
pool.sweepUnclaimedBonus();
assertEq(
token.balanceOf(recovery) - recoveryBefore,
bonus,
"complete bonus sent to recovery"
);
assertEq(pool.totalBonus(), 0, "live bonus accounting depleted");
assertFalse(
pool.claimsStarted(),
"outcome remains re-flaggable after value movement"
);
// The moderator corrects the result to an in-scope, good-faith corruption.
vm.prank(moderator);
pool.flagOutcome(
PoolStates.Outcome.CORRUPTED,
true,
attacker
);
// The corrected entitlement excludes the bonus already swept away.
assertEq(
pool.bountyEntitlement(),
principal,
"whitehat bounty has lost the entire bonus"
);
uint256 attackerBefore = token.balanceOf(attacker);
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(
token.balanceOf(attacker) - attackerBefore,
principal,
"whitehat receives principal only"
);
// The intended bounty before the permissionless sweep was principal + bonus.
assertEq(principal + bonus, 150 * ONE);
}

Recommended Mitigation

Protocol-accounted funds must remain reserved while the moderator can still re-flag the outcome.

Before claimsStarted becomes true, sweepUnclaimedBonus() should reserve the complete original snapshot, regardless of whether stakers are entitled to the bonus under the currently flagged outcome:

uint256 reserved;
if (!claimsStarted) {
// The outcome is still mutable. Preserve all tracked assets so that a
// corrective re-flag can use the original economic snapshot.
reserved = snapshotTotalStaked + snapshotTotalBonus;
} else if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
if (riskWindowStart != 0) {
reserved += snapshotTotalBonus - claimedBonus;
}
}

This still permits direct-transfer donations above the snapshotted pool balance to be swept without allowing the tracked bonus to leave.

Do not solve the issue merely by setting claimsStarted = true whenever a sweep succeeds. That would allow a caller to send a one-unit donation and use the sweep to permanently block a legitimate moderator correction.

A robust design should distinguish:

  • excess donations, which may be swept during the correction window; and

  • snapshotted principal and bonus, which must remain untouched until the outcome becomes final.

For bonus-only pools where no staker can make the first claim, introduce either an explicit moderator finalization action or a bounded correction period after which the outcome becomes immutable and the tracked bonus becomes sweepable.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!