Description
Before the first claim, the moderator can correct an incorrectly flagged outcome or attacker. The pool should preserve enough value to honor every outcome that remains selectable during that correction window.
sweepUnclaimedBonus() can remove tracked bonus while claimsStarted remains false. A later correction from SURVIVED or EXPIRED to good-faith CORRUPTED snapshots the reduced totalBonus, so the named attacker receives less than the pool held before the permissionless sweep.
function flagOutcome(
PoolStates.Outcome newOutcome,
bool goodFaith_,
address attacker_
) external onlyModerator {
if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) {
revert OutcomeAlreadySet();
}
snapshotTotalBonus = totalBonus;
bountyEntitlement = willBeGoodFaithCorrupted
? snapshotTotalStaked + snapshotTotalBonus
: 0;
}
function sweepUnclaimedBonus() external nonReentrant {
if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
stakeToken.safeTransfer(recoveryAddress, amount);
}
Risk
Likelihood:
-
This occurs when tracked bonus exists, a SURVIVED or EXPIRED result makes it sweepable, and the moderator later corrects the result to good-faith CORRUPTED.
-
Any address can execute the sweep and can front-run a visible moderator correction.
Impact:
-
Up to the entire tracked bonus can be redirected from the attacker to recoveryAddress.
-
The correction succeeds but snapshots an underfunded bounty even though the pool held the missing value immediately before the sweep.
Proof of Concept
Place PoC.t.sol in test/ and run:
forge test test/PoC.t.sol -vvv
function test_BonusSweep() external {
_stake(alice, 100 ether);
_contributeBonus(carol, 50 ether);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
uint256 recoveryBefore = token.balanceOf(recovery);
vm.prank(dave);
pool.sweepUnclaimedBonus();
assertEq(token.balanceOf(recovery) - recoveryBefore, 50 ether);
assertFalse(pool.claimsStarted());
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.snapshotTotalBonus(), 0);
assertEq(pool.bountyEntitlement(), 100 ether);
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), 100 ether);
}
Recommended Mitigation
Reserve all tracked bonus while the outcome remains re-flaggable. Permit only untracked excess balance to be swept before distribution finality. Add an explicit finalization mechanism when a no-claimer pool needs a liveness path.
function sweepUnclaimedBonus() external nonReentrant {
- uint256 reserved;
- if (totalEligibleStake != 0) {
- reserved = totalEligibleStake;
- if (riskWindowStart != 0) {
- reserved += snapshotTotalBonus - claimedBonus;
- }
- }
+ uint256 reserved = totalEligibleStake;
+
+ if (!claimsStarted) {
+ reserved += totalBonus;
+ } else if (totalEligibleStake != 0 && riskWindowStart != 0) {
+ reserved += snapshotTotalBonus - claimedBonus;
+ }
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;
if (amount == 0) revert NothingToSweep();
- if (totalEligibleStake == 0 || riskWindowStart == 0) {
+ if (claimsStarted && (totalEligibleStake == 0 || riskWindowStart == 0)) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
stakeToken.safeTransfer(recoveryAddress, amount);
}