All ConfidencePool clones that share the same agreement read the same registry state. A single CORRUPTED signal therefore triggers the auto‑CORRUPTED backstop in every sibling pool that has observed a risk window and passed its grace period, multiplying the loss across all pools tied to that agreement.
Each ConfidencePool operates independently with its own stake and bonus, but all pools created for the same agreement share the same registry state.
When one agreement reaches CORRUPTED, the mechanical auto‑CORRUPTED backstop fires in every sibling pool that has observed a risk window and passed its grace period. One signal drains every pool tied to that agreement, multiplying the loss.
Likelihood:
An agreement must be placed into CORRUPTED (DAO‑approved UNDER_ATTACK followed by sponsor‑controlled markCorrupted).
Each sibling pool must have observed a risk window and passed its own 180‑day grace period. After that, the auto‑CORRUPTED backstop triggers in all of them independently.
Impact:
The blast radius is the sum of all pools' balances. An attacker who engineers one agreement‑level corruption drains multiple pools.
Stakers in different pools are unknowingly exposed to the same single point of failure.
Explanation:
Two pools are created on the same agreement, each with a different staker depositing 50 tokens. Both pools observe the UNDER_ATTACK risk window via pokeRiskWindow. The registry is then moved to CORRUPTED. After warping past the grace period, claimExpired is called on both pools, forcing them into bad‑faith CORRUPTED. The sponsor calls claimCorrupted on each and receives the combined 100 tokens. This demonstrates that one corruption signal on the agreement sweeps all sibling pools.
Mitigation explanation:
The mitigation introduces per‑pool scope verification before the mechanical backstop can fire. Even if the agreement is globally CORRUPTED, a specific pool is only swept if the actual breached contract falls within that pool’s committed scope. This can be checked by calling IAgreement(agreement).isContractInScope(breachContract) and requiring it to be true. An alternative is to allow a per‑pool override: a separate moderator (or a governance vote) can exempt an individual pool from the auto‑CORRUPTED sweep when the breach is clearly out of scope. This breaks the shared‑fate amplification, ensuring one corrupt agreement does not automatically drain every pool.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.