FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

Permanent reduction of Attacker Bounty due to `sweepUnclaimedBonus` during the re-flag window

Author Revealed upon completion

Root + Impact

The sweepUnclaimedBonus function allows the permanent removal of tracked bonus funds from the pool without triggering the claimsStarted finality latch. This enables a race condition where a temporary incorrect outcome allows third parties to deplete the bonus pool, irrevocably reducing the bounty entitlement for a subsequent corrected CORRUPTED outcome.

Description

The protocol implements a flagOutcome function that allows the moderator to correct a previously set outcome as long as no participant has acted upon it. This finality is tracked via the claimsStarted flag.

The sweepUnclaimedBonus function is designed to recover excess funds (donations/dust) to the recoveryAddress. However, when an outcome is set to SURVIVED, this function treats the entire totalBonus as "unclaimed" if riskWindowStart is zero. Because sweepUnclaimedBonus explicitly does not set claimsStarted to true, it allows for the movement of value while leaving the re-flag window open. If a moderator incorrectly flags an agreement as SURVIVED and a sweep occurs before the correction to CORRUPTED, the totalBonus is permanently lost to the recoveryAddress, and the attacker’s bounty (which is snapshotted during the re-flag) is significantly reduced.

function sweepUnclaimedBonus() external nonReentrant {
// ... logic to calculate amount ...
if (totalEligibleStake == 0 || riskWindowStart == 0) {
@> totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
@> // Intentionally does NOT set claimsStarted.
stakeToken.safeTransfer(recoveryAddress, amount);
}

Risk

Likelihood:

  • Occurrence happens during the interval between an accidental SURVIVED flag (permitted even if registry is CORRUPTED) and the moderator's corrective CORRUPTED flag.

  • External observers or MEV bots monitor the OutcomeFlagged event and trigger sweepUnclaimedBonus immediately to redirect funds.

Impact:

  • Permanent loss of bonus funds intended for the whitehat attacker.

  • Breach of the protocol's core incentive alignment, as the "Good Faith" bounty becomes underfunded.

Proof of Concept

function test_PoC_SweepBonusReducesBounty() public {
_stake(alice, 100 * ONE); _contributeBonus(bob, 50 * ONE);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
pool.pokeRiskWindow();
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
pool.sweepUnclaimedBonus(); // Maliciously sweeps the 50 ONE bonus
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.bountyEntitlement(), 100 * ONE); // Should have been 150
}

Recommended Mitigation

if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
- // Intentionally does NOT set claimsStarted.
+ if (amount > 0 && !claimsStarted) claimsStarted = true;
stakeToken.safeTransfer(recoveryAddress, amount);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!