The pool owner can call setRecoveryAddress() at any time, including after users have deposited funds. This lets the owner
replace the configured recovery destination before a recovery-path settlement.
The updated address receives funds from bad-faith CORRUPTED settlements, expired attacker bounties, and unclaimed bonus
sweeps.
A malicious or compromised owner can redirect recovery-path funds to an arbitrary address.
Severity: Low, as it requires the trusted pool owner.
function testOwnerCanRedirectRecoveryFunds() external {
uint256 amount = 100e18;
address maliciousRecovery = makeAddr("maliciousRecovery");
}
Lock recoveryAddress after the first stake, or require address updates to pass through a timelock.
function setRecoveryAddress(address newRecoveryAddress) external onlyOwner {
if (expiryLocked) revert RecoveryAddressLocked();
if (newRecoveryAddress == address(0)) revert InvalidRecoveryAddress();
}
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.