In ConfidencePool.sol, the owner (sponsor) can call setPoolScope() to modify the covered accounts array at any time, as long as scopeLocked is false:
Stakers typically deposit their funds while the registry is in NEW_DEPLOYMENT (pre-attack staging). Because scopeLocked is not linked to whether the pool has active deposits, the sponsor can change the pool's scope to cover a completely different set of contracts (or add high-risk/compromised contracts from the parent agreement) after stakers have already staked.
This directly contradicts the design document's claim:
"Once locked, the pool's coverage is fixed... stakers' exposure is bounded by what they signed up for at deposit time."
If the sponsor changes the scope after deposits, stakers are exposed to risk they did not sign up for, with no way to withdraw once the risk window opens.
Impact:
Sponsors can malicious/grief stakers by swapping the pool scope to cover vulnerable contracts right before an attack registry state change, resulting in staker principal being swept/lost.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.