Root + Impact
Summary
sweepUnclaimedBonus() sends the entire accounted bonus to recoveryAddress without setting claimsStarted. The moderator consequently re-flag SURVIVED as good-faith CORRUPTED, but the whitehat’s bounty is calculated from the depleted totalBonus, excluding the swept bonus.
Description
The protocol permits the moderator to correct an outcome while claimsStarted == false. This allows mistakes involving the outcome, good-faith status, or attacker address to be corrected before anyone relies upon the original distribution.
For a SURVIVED outcome where riskWindowStart == 0, stakers are not entitled to bonus rewards. Therefore, sweepUnclaimedBonus() correctly considers the entire bonus pool unreserved and transfers it to recoveryAddress. The problem is that this sweep moves real, accounted value without closing the outcome correction window.
Root cause
Outcome correction is blocked only when claimsStarted is true:
if (outcome != PoolStates.Outcome.UNRESOLVED && claimsStarted) {
revert OutcomeAlreadySet();
}
Claims correctly set this finality latch after transferring value. However, sweepUnclaimedBonus() explicitly does not.
stakeToken.safeTransfer(recoveryAddress, amount);
Avoiding the latch is appropriate for donation-only sweeps. Otherwise, an attacker could directly transfer one wei into the pool, sweep it, and prematurely close the moderator’s correction window.
The issue here is applying that exception to every sweep, including sweeps that remove accounted bonus. When there are no remaining stakers or no locally observed risk window, the function reduces totalBonus by the swept amount.
if (totalEligibleStake == 0 || riskWindowStart == 0) {
totalBonus -= amount <= totalBonus ? amount : totalBonus;
}
This is not merely removing an unsolicited donation. With riskWindowStart == 0, it can remove the entire genuine bonus pool while leaving the outcome mutable.
A subsequent good-faith CORRUPTED flag snapshots the depleted accounting in `` function.
snapshotTotalStaked = totalEligibleStake;
snapshotTotalBonus = totalBonus;
corruptedReserve =
snapshotTotalStaked + snapshotTotalBonus;
bountyEntitlement =
snapshotTotalStaked + snapshotTotalBonus;
Because totalBonus was reduced during the earlier sweep, snapshotTotalBonus silently excludes the bonus transferred to recovery.
The broken state transition control flow is therefore:
Accounted bonus leaves pool
↓
totalBonus decreases
↓
claimsStarted remains false
↓
Outcome remains mutable
↓
CORRUPTED snapshots depleted bonus
↓
Whitehat bounty excludes swept value
The contract treats the sweep as final for token accounting but non-final for outcome correction. Those two decisions are incompatible.
Risk
Likelihood:
-
When a pool's active-risk interval passes without anyone interacting with it, riskWindowStart stays 0 and the agreement then settles to CORRUPTED.
-
When the moderator first flags SURVIVED on an out-of-scope judgment and later corrects it to good-faith CORRUPTED and sweepUnclaimedBonus() is called in the gap between those two actions. The call is permissionless, and the sponsor (who owns recoveryAddress) is directly incentivized to make it, since the sweep locks the bonus into their own address before the moderator can redirect it to the whitehat.
Impact:
The whitehat loses its entire bonus allocation: the tokens are irreversibly transferred to recoveryAddress before the corrected CORRUPTED outcome snapshots balances, so they are never part of bountyEntitlement. Principal remains claimable, but bounty funds reach the wrong recipient.
Proof of Concept
pragma solidity 0.8.26;
import {IAttackRegistry} from "@battlechain/interface/IAttackRegistry.sol";
import {PoolStates} from "src/libraries/PoolStates.sol";
import {BaseConfidencePoolTest} from "test/helpers/BaseConfidencePoolTest.sol";
contract CorruptedBountyHuntTest is BaseConfidencePoolTest {
function testPoC_SweepUnclaimedBonusThenReflagCorrupted_ShortsWhitehat() external {
uint256 principal = 100 * ONE;
uint256 bonus = 50 * ONE;
_stake(alice, principal);
_contributeBonus(carol, bonus);
assertEq(pool.riskWindowStart(), 0, "no risk window observed");
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
assertEq(uint256(pool.outcome()), uint256(PoolStates.Outcome.SURVIVED), "survived flagged");
assertEq(pool.riskWindowStart(), 0, "still no risk window");
uint256 recoveryBefore = token.balanceOf(recovery);
pool.sweepUnclaimedBonus();
uint256 recoveryGotBonus = token.balanceOf(recovery) - recoveryBefore;
assertEq(recoveryGotBonus, bonus, "bonus swept to recovery");
assertEq(pool.claimsStarted(), false, "sweep did NOT latch claimsStarted -> reflag still open");
assertEq(pool.totalBonus(), 0, "totalBonus zeroed by sweep");
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
uint256 entitlement = pool.bountyEntitlement();
assertEq(entitlement, principal, "BUG: entitlement excludes the swept bonus");
assertLt(entitlement, principal + bonus, "BUG: whitehat entitlement short by the bonus");
uint256 attackerBefore = token.balanceOf(attacker);
vm.prank(attacker);
pool.claimAttackerBounty();
uint256 attackerGot = token.balanceOf(attacker) - attackerBefore;
assertEq(attackerGot, principal, "whitehat received only principal");
assertLt(attackerGot, principal + bonus, "LOSS: whitehat short-changed by the bonus");
assertEq(token.balanceOf(recovery) - recoveryBefore, bonus, "bonus permanently at recovery");
}
function testPoC_Control_FreshGoodFaithCorruptedPaysWholePool() external {
uint256 principal = 100 * ONE;
uint256 bonus = 50 * ONE;
_stake(alice, principal);
_contributeBonus(carol, bonus);
attackRegistry.setAgreementState(IAttackRegistry.ContractState.CORRUPTED);
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.bountyEntitlement(), principal + bonus, "fresh: whole pool owed to whitehat");
uint256 attackerBefore = token.balanceOf(attacker);
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker) - attackerBefore, principal + bonus, "fresh: whitehat gets whole pool");
}
}
[PASS] testPoC_SweepUnclaimedBonusThenReflagCorrupted_ShortsWhitehat()
[PASS] testPoC_Control_FreshGoodFaithCorruptedPaysWholePool()
Recommended Mitigation
Set the finality latch on any sweep that removes accounted value, while preserving the
donation-only exemption the existing comment protects. The totalBonus decrement already identifies
the accounted-value case exactly:
// sweepUnclaimedBonus, replacing lines 498-505
if (totalEligibleStake == 0 || riskWindowStart == 0) {
-- totalBonus -= amount <= totalBonus ? amount : totalBonus;
++ uint256 dec = amount <= totalBonus ? amount : totalBonus;
++ totalBonus -= dec;
// Removing genuinely-accounted bonus is a reliance event. close the correction window so a
// later good-faith CORRUPTED re-flag cannot snapshot the now-depleted totalBonus. A
// donation-only sweep (dec == 0) still leaves the window open, preserving the anti-grief
// property the original comment protects.
++ if (dec != 0 && !claimsStarted) claimsStarted = true;
}
stakeToken.safeTransfer(recoveryAddress, amount);