claimAttackerBounty() always sends to the hardcoded attacker address. If the attacker's address gets blacklisted by the stake token (e.g. USDC) after being named by the moderator, every claim attempt reverts. The attacker cannot redirect funds to another address. After corruptedClaimDeadline passes, the entire pool sweeps to recoveryAddress the attacker loses their full legitimate bounty entitlement permanently.
After deadline, funds go elsewhere permanently:
No alternative path exists for the attacker to redirect their bounty.
Code snippet-
https://github.com/CodeHawks-Contests/2026-07-bc-confidence-pools/blob/58e8ba4ce3f3277866e4926f3140e597f9554a1e/src/ConfidencePool.sol#L432
Blacklisted attacker permanently loses entire bounty entitlement.
Add optional receiver parameter to claimAttackerBounty():
This allows the named attacker (msg.sender check unchanged) to redirect their bounty to any non-blacklisted address they control, preventing permanent fund loss from token blacklisting while preserving all existing security guarantees.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.