In good-faith CORRUPTED, the named attacker/whitehat should receive the full bounty: snapshotTotalStaked + snapshotTotalBonus.
However, flagOutcome() allows pre-claim reflagging while claimsStarted == false, and SURVIVED can be flagged while the registry is already CORRUPTED. During this correction window, anyone can call sweepUnclaimedBonus().
When riskWindowStart == 0, sweepUnclaimedBonus() reserves only outstanding principal, treats the whole bonus as sweepable, sends it to recoveryAddress, and decrements totalBonus:
If the moderator first flags SURVIVED, the bonus can be swept to the sponsor-controlled recoveryAddress before the moderator corrects to good-faith CORRUPTED. The corrected bounty then snapshots only the remaining principal.
RISK
Likelihood:
The registry is CORRUPTED, no active-risk window was locally observed, and riskWindowStart == 0.
The moderator uses the documented correction window by first flagging SURVIVED and later correcting to good-faith CORRUPTED.
Any caller can invoke sweepUnclaimedBonus() before the correction because the function is permissionless and does not close the correction window.
Impact:
Third-party bonus funds intended to reward the named whitehat are permanently diverted to the sponsor-controlled recoveryAddress.
The loss can dominate the bounty. With 1 principal and 1000 bonus, direct good-faith CORRUPTED would pay 1001 to the whitehat, but this sequence pays only 1; the 1000 bonus is swept to recoveryAddress.
This creates a real capability delta: in good-faith CORRUPTED, the sponsor should receive nothing, but this sequence lets the sponsor-controlled recovery address capture the bonus.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.