FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

Bonus sweep can reduce a corrected attacker bounty

Author Revealed upon completion

Description

Before the first claim, the moderator can correct an incorrectly flagged outcome or attacker. The pool should preserve enough value to honor every outcome that remains selectable during that correction window.

sweepUnclaimedBonus() can remove tracked bonus while claimsStarted remains false. A later correction from SURVIVED or EXPIRED to good-faith CORRUPTED snapshots the reduced totalBonus, so the named attacker receives less than the pool held before the permissionless sweep.

function flagOutcome(
PoolStates.Outcome newOutcome,
bool goodFaith_,
address attacker_
) external onlyModerator {
// @> Reflagging remains allowed until a claim sets claimsStarted.
if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) {
revert OutcomeAlreadySet();
}
// @> A correction snapshots totalBonus after a sweep has reduced it.
snapshotTotalBonus = totalBonus;
bountyEntitlement = willBeGoodFaithCorrupted
? snapshotTotalStaked + snapshotTotalBonus
: 0;
}
function sweepUnclaimedBonus() external nonReentrant {
if (totalEligibleStake == 0 || riskWindowStart == 0) {
// @> The permissionless sweep removes tracked bonus.
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
// @> No finality flag is set, so the moderator can still reflag.
stakeToken.safeTransfer(recoveryAddress, amount);
}

Risk

Likelihood:

  • This occurs when tracked bonus exists, a SURVIVED or EXPIRED result makes it sweepable, and the moderator later corrects the result to good-faith CORRUPTED.

  • Any address can execute the sweep and can front-run a visible moderator correction.

Impact:

  • Up to the entire tracked bonus can be redirected from the attacker to recoveryAddress.

  • The correction succeeds but snapshots an underfunded bounty even though the pool held the missing value immediately before the sweep.

Proof of Concept

Place PoC.t.sol in test/ and run:

forge test test/PoC.t.sol -vvv
function test_BonusSweep() external {
_stake(alice, 100 ether);
_contributeBonus(carol, 50 ether);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
uint256 recoveryBefore = token.balanceOf(recovery);
vm.prank(dave);
pool.sweepUnclaimedBonus();
assertEq(token.balanceOf(recovery) - recoveryBefore, 50 ether);
assertFalse(pool.claimsStarted());
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.snapshotTotalBonus(), 0);
assertEq(pool.bountyEntitlement(), 100 ether);
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), 100 ether);
}

Recommended Mitigation

Reserve all tracked bonus while the outcome remains re-flaggable. Permit only untracked excess balance to be swept before distribution finality. Add an explicit finalization mechanism when a no-claimer pool needs a liveness path.

function sweepUnclaimedBonus() external nonReentrant {
- uint256 reserved;
- if (totalEligibleStake != 0) {
- reserved = totalEligibleStake;
- if (riskWindowStart != 0) {
- reserved += snapshotTotalBonus - claimedBonus;
- }
- }
+ uint256 reserved = totalEligibleStake;
+
+ if (!claimsStarted) {
+ reserved += totalBonus;
+ } else if (totalEligibleStake != 0 && riskWindowStart != 0) {
+ reserved += snapshotTotalBonus - claimedBonus;
+ }
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;
if (amount == 0) revert NothingToSweep();
- if (totalEligibleStake == 0 || riskWindowStart == 0) {
+ if (claimsStarted && (totalEligibleStake == 0 || riskWindowStart == 0)) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
stakeToken.safeTransfer(recoveryAddress, amount);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!