The claimExpired function can be triggered by any caller after the grace period to finalize a CORRUPTED registry state as bad-faith. This mechanical resolution sets claimsStarted to true, which permanently locks the outcome and prevents the moderator from ever flagging a good-faith outcome for a valid whitehat attacker.
The protocol provides a MODERATOR_CORRUPTED_GRACE period after pool expiry. Once this period elapses, claimExpired allows anyone to resolve the pool if the registry is CORRUPTED.
The specific issue is that this mechanical resolution is "scope-blind" and defaults to a bad-faith outcome. By setting claimsStarted = true, it invokes the finality latch of the contract. A malicious or automated actor can frontrun the moderator's attempt to call flagOutcome(CORRUPTED, true, ...) the moment the grace period ends. This results in the entire pool being swept to the recoveryAddress, effectively stealing the bounty from the whitehat who performed the in-scope attack.
Likelihood:
Occurs precisely at the block when block.timestamp >= expiry + MODERATOR_CORRUPTED_GRACE.
Automated bots or the pool sponsor (who controls recoveryAddress) have a direct financial incentive to trigger this before the moderator can name an attacker.
Impact:
Total loss of bounty for the whitehat attacker.
Permanent lockout of administrative power to correct the outcome to "Good Faith".
Allow the moderator to override a mechanical bad-faith resolution if and only if the current outcome is CORRUPTED and goodFaith is currently false.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.