When the agreement reaches the CORRUPTED state and a risk window has been observed, all principal‑recovery paths withdraw, stake, contributeBonus, and claimExpired are simultaneously blocked for a 180‑day grace period after expiry. Stakers have no self‑release mechanism and are forced to wait for the moderator or the automatic backstop.
When an agreement is legitimately corrupted, stakers should not be able to withdraw, to prevent front‑running the corruption flag. After a corruption flag, the pool expects the moderator to quickly resolve the outcome.
When the agreement reaches CORRUPTED with an observed risk window, all exit paths close for 180 days after expiry, even if the moderator is silent. Stakers are locked with no self‑release mechanism.
Likelihood:
An agreement transitions to CORRUPTED (DAO‑approved UNDER_ATTACK + sponsor markCorrupted). The risk window was previously observed.
The moderator does not act within the 180‑day grace window (intentional or due to unavailability).
Impact:
Staker principal is frozen for up to 180 days after expiry. No funds are lost, but liquidity is completely denied.
The lock is absolute; no staker‑callable escape exists.
Explanation:
A pool is created and a staker deposits 100 tokens. The risk window is opened via pokeRiskWindow while the agreement is UNDER_ATTACK. The registry is then set to CORRUPTED. The staker tries to withdraw but is blocked because the risk window is active and the state is not pre‑attack.
After expiry, the staker tries claimExpired but is again blocked because the grace window is still active (revert with AgreementCorruptedAwaitingModerator). Only after warping past the grace period does claimExpired succeed, and the sweep follows. This demonstrates the absolute freeze during the 180‑day grace.
Mitigation explanation:
The current code defers entirely to the moderator during the grace window, leaving stakers with zero agency. The mitigation adds a shorter, staker‑callable path that returns only principal (no bonus, no bounty) after a reasonable timeout for example, 30 days after expiry.
This preserves the moderator’s exclusive ability to name a whitehat and trigger the good‑faith bounty during the early part of the window, while giving stakers a bounded, trust‑minimised way to recover their funds if the moderator is permanently silent. The lock is softened from an indefinite 180‑day hold to a manageable 30‑day wait, after which principal is safely returned.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.