Normally, a pool sponsor can update the pool scope only while the registry is
in the staging states: NOT_DEPLOYED or NEW_DEPLOYMENT. Once the pool
observes any other state, such as ATTACK_REQUESTED, the scope should be
permanently locked so existing stakers keep the coverage they originally accepted.
The issue is that scopeLocked is set inside _observePoolState(), but both
setPoolScope() and pokeRiskWindow() can revert immediately after calling
it. Because a revert rolls back all state changes in the transaction, the
lock is discarded. Later, when the registry returns to NOT_DEPLOYED, the
sponsor can change scope even though the pool already observed
ATTACK_REQUESTED
Likelihood:
The sponsor can regain scope mutability after the registry returns to
NOT_DEPLOYED / NEW_DEPLOYMENT, even though the pool already observed a
state that should have closed the sponsor's scope-control window.
During the same ATTACK_REQUESTED period, a sponsor's rejected
setPoolScope() call also reverts after temporarily setting scopeLocked,
causing the lock to be rolled back.
Impact:
Existing stakers can remain deposited while the pool's published coverage
scope is replaced, weakening the protocol's stated guarantee that stakers are
exposed only to the scope they signed up for once the registry leaves staging.
The sponsor can regain scope mutability after the registry returns to
NOT_DEPLOYED / NEW_DEPLOYMENT, even though the pool already observed a
state that should have closed the sponsor's scope-control window.
Avoid writing scopeLocked and then reverting in the same call path.
One approach is to make observation of a post-staging state persist even when no
risk window starts:
For setPoolScope(), avoid reverting after newly sealing scope. The function
should either seal and return without changing scope, or use a separate
non-reverting observation path before enforcing the scope-change restriction.
Also add a regression test for the ATTACK_REQUESTED -> NOT_DEPLOYED rewind
path to ensure the sponsor cannot replace scope after the pool has already
observed ATTACK_REQUESTED.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.