The protocol provides the moderator a pre-claim "re-flag window" to correct mistakes in the outcome. During this window, any unreserved bonus can be swept to the sponsor's recoveryAddress via sweepUnclaimedBonus(), which intentionally avoids locking the re-flag window (it doesn't set claimsStarted).
Because sweepUnclaimedBonus() decrements totalBonus, if the moderator flags a non-CORRUPTED outcome, the sponsor sweeps the bonus, and the moderator subsequently corrects the outcome to CORRUPTED, the flagOutcome function re-snapshots totalBonus at 0. This irreversibly lowers the attacker's bountyEntitlement, redirecting funds that rightfully belong to the attacker into the sponsor's wallet.
Likelihood:
The moderator flags SURVIVED or EXPIRED (e.g., misjudging an incident as out-of-scope).
The sponsor (or any observer) calls sweepUnclaimedBonus() before any claims are made, sweeping the bonus to the recoveryAddress.
The moderator realizes the incident was actually an in-scope breach and re-flags to a good-faith CORRUPTED outcome.
Impact:
The good-faith whitehat attacker loses the entire bonus portion of their bounty.
The sponsor successfully extracts funds from the pool that should have gone to the attacker, breaking the core invariant that the attacker is entitled to the full pool (stake + bonus) in a good-faith scenario.
The following sequence demonstrates how the sponsor can extract the bonus while the moderator is investigating an outcome.
To resolve this issue without breaking the donation-griefing protection inside sweepUnclaimedBonus (which explicitly avoids setting claimsStarted), flagOutcome should only snapshot the accounting variables on the first flag, preventing the swept bonus from corrupting a later correction.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.