When the registry has already reached CORRUPTED, a permissionless caller can still finalize the pool as EXPIRED if no pool interaction previously observed the active-risk phase and riskWindowStart therefore remains zero.
The affected route is:
_observePoolState()
claimExpired()
flagOutcome()
The automatic CORRUPTED branch inside claimExpired() requires both:
If the registry reached CORRUPTED without the pool previously observing UNDER_ATTACK or PROMOTION_REQUESTED, the second condition is false.
After expiry, any caller can invoke claimExpired(). The function then falls through to the EXPIRED branch, returns principal through the expiration settlement path, and permanently latches the mechanical outcome.
Because claimsStarted is set during the mechanical resolution, the moderator can no longer correct the outcome to CORRUPTED.
Medium.
The route requires:
the registry to reach CORRUPTED;
no earlier pool interaction to seal riskWindowStart;
the pool to reach expiry; and
a permissionless caller to invoke claimExpired() before the moderator flags the corrupted outcome.
No privileged role, non-standard token behavior, or direct storage modification is required.
High.
For a genuine in-scope corruption, the pool can be irreversibly finalized as EXPIRED before the moderator applies the correct CORRUPTED settlement.
Stakers can recover their principal through the expiration path, while the later moderator action that would route the pool through corrupted settlement is blocked.
This can cause the entire staked principal to bypass the intended CORRUPTED outcome and its recovery or good-faith bounty path.
The PoC reproduces a terminal CORRUPTED registry state with no locally observed risk window.
The later moderator route is blocked by:
Before claimExpired():
After claimExpired():
This proves that the absence of a locally observed risk window can convert a terminal corrupted state into an irreversible expired settlement.
The finalization logic should preserve a scope-aware decision boundary when the registry is already terminal CORRUPTED, even if the active-risk interval was not locally observed.
A safe correction should prevent the permissionless expiration path from irreversibly foreclosing a valid corrupted settlement before the relevant terminal state has been reconciled.
A regression test should verify that a terminal CORRUPTED registry state cannot be irreversibly converted into EXPIRED solely because the pool did not locally observe the earlier active-risk phase.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.