ConfidencePool.sol allows the pool owner (sponsor) to change the recoveryAddress via setRecoveryAddress() at any time. This function has no guard checking whether the pool outcome has already been resolved.
After a moderator flags the pool as CORRUPTED, the sponsor can change recoveryAddress to an address they control, then call claimCorrupted() or sweepUnclaimedCorrupted() to drain the entire pool balance (stake + bonus + attacker bounty) to their own wallet instead of the intended recovery destination.
Likelihood:
Reason 1 — The sponsor calls setRecoveryAddress after the moderator flags the pool as CORRUPTED, with no additional conditions required.
Reason 2 — The exploit executes in a single transaction with no dependencies on external state or user actions.
Impact: High
Impact 1 — The entire pool balance (all staker deposits plus bonus contributions) is redirected to the sponsor's controlled address instead of the intended recovery destination.
Impact 2 — In a good-faith CORRUPTED scenario, the whitehat attacker's bounty entitlement is also stolen, as the sponsor can sweep the unclaimed remainder after the claim window expires.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.