FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

`sweepUnclaimedBonus` moves the whole bonus without setting `claimsStarted`, so a later good-faith CORRUPTED re-flag underpays the named whitehat by the entire bonus

Author Revealed upon completion

Description

  • A good-faith CORRUPTED outcome entitles the moderator-named whitehat to the entire pool (principal plus bonus). The moderator may correct a mistaken outcome through the re-flag window for as long as no value has moved, which the contract tracks with the one-way claimsStarted latch: once value leaves the contract, claimsStarted is set and the outcome is final.

  • When riskWindowStart == 0, sweepUnclaimedBonus sends the entire contributed bonus to the sponsor-controlled recoveryAddress but deliberately leaves claimsStarted unset. The re-flag window therefore stays open on stale accounting. A moderator SURVIVED-then-CORRUPTED correction recomputes bountyEntitlement from the already-drained totalBonus (flagOutcome at ConfidencePool.sol:358 and :362, reached because :327 does not revert while claimsStarted == false), so the whitehat is entitled to principal only and the bonus is stranded at recoveryAddress.

function sweepUnclaimedBonus() external nonReentrant {
if (outcome != PoolStates.Outcome.SURVIVED && outcome != PoolStates.Outcome.EXPIRED) {
revert OutcomeNotEligibleForSweep();
}
uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
@> if (riskWindowStart != 0) { reserved += snapshotTotalBonus - claimedBonus; } // riskWindowStart==0 => bonus is NOT reserved
}
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0; // amount == the whole bonus
if (amount == 0) revert NothingToSweep();
if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus; // the reward pool is drained to 0
}
@> // Intentionally does NOT set claimsStarted <-- the whole bonus has moved, yet the outcome stays re-flaggable
stakeToken.safeTransfer(recoveryAddress, amount); // whole bonus -> sponsor recovery
emit BonusSwept(msg.sender, recoveryAddress, amount);
}

Risk

Likelihood:

  • Occurs whenever a pool holds a contributed bonus and the registry reaches a terminal state without the active-risk window ever being observed, leaving riskWindowStart == 0 (a supported, reachable state per DESIGN §5 and §7, for example a skip straight to PRODUCTION or an instant CORRUPTED).

  • Occurs whenever the moderator first flags SURVIVED on that registry and later uses the documented §4 re-flag window to correct to good-faith CORRUPTED, while any account calls the permissionless sweepUnclaimedBonus between the two flags. The sponsor is motivated to make that call, since the swept funds land at their own recoveryAddress.

Impact:

  • The moderator-named good-faith whitehat is underpaid by the entire contributed bonus; those funds are diverted to the sponsor-controlled recoveryAddress. No staker principal is lost, which bounds this at Medium.

  • The documented re-flag correction mechanism is silently defeated for the bonus: the outcome flips to good-faith CORRUPTED, but the funds that correction is supposed to redirect to the whitehat have already left the contract.

Proof of Concept

test/PoC_sweep-reflag-bonus-leak.t.sol (extends BaseConfidencePoolTest). With principal S = 100e18 and bonus B = 40e18, the whitehat receives 100, the 40 bonus is stranded at recoveryAddress, and the control test proves the correct payout is 140.

function test_exploit_bonusStolenFromWhitehatViaSweepReflag() external {
_stake(alice, S);
_contributeBonus(carol, B); // pool holds S + B
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED); // riskWindowStart never sealed
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0)); // moderator's mistake
assertEq(pool.riskWindowStart(), 0);
assertFalse(pool.claimsStarted());
vm.prank(recovery); // permissionless caller
pool.sweepUnclaimedBonus();
assertEq(token.balanceOf(recovery), B); // whole bonus swept to sponsor
assertEq(pool.totalBonus(), 0);
assertFalse(pool.claimsStarted()); // re-flag window still open
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker); // documented correction
assertEq(pool.bountyEntitlement(), S); // BUG: principal-only, bonus missing
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), S); // whitehat got principal only
assertEq(token.balanceOf(recovery), B); // bonus stuck at the sponsor
assertLt(token.balanceOf(attacker), S + B); // shorted by the whole bonus
}
// Control: with no intervening sweep, the same good-faith CORRUPTED pays the whitehat S + B.
function test_control_correctPathPaysWholePool() external {
_stake(alice, S);
_contributeBonus(carol, B);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.bountyEntitlement(), S + B);
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), S + B);
}
forge test --match-path test/PoC_sweep-reflag-bonus-leak.t.sol -vv
[PASS] test_control_correctPathPaysWholePool() (gas: 571955)
[PASS] test_exploit_bonusStolenFromWhitehatViaSweepReflag() (gas: 596673)
Suite result: ok. 2 passed; 0 failed; 0 skipped

Recommended Mitigation

Sweeping the entire reward pool is an outcome-committing value movement, so finalize the outcome in exactly that branch. This keeps the existing 1-wei-donation protection: when a risk window was observed, the bonus is reserved and only genuine excess or dust is swept, so that path still does not latch.

if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
+ // The whole reward pool has left the contract; finalize so a later re-flag cannot
+ // re-owe a bonus that is already gone.
+ claimsStarted = true;
}

An alternative fix is to block a re-flag into a bonus-owing outcome once the bonus can no longer be honored, by reverting in flagOutcome when totalBonus < snapshotTotalBonus.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!