FoundrySolidityLayer 2
7.25 ETH
Submission Details
Impact: high
Likelihood: medium

sweepUnclaimedBonus moves the entire bonus without latching finality, so a later good-faith CORRUPTED re-flag strips the named whitehat of the whole bonus pool

Author Revealed upon completion

Root + Impact

Root cause: sweepUnclaimedBonus is the only fund-moving function that moves tokens out of the pool without setting the claimsStarted finality latch, so the moderator's flagOutcome correction window stays open after the bonus has already left the contract.

Impact: a subsequent (legal) SURVIVED → good-faith CORRUPTED correction re-snapshots a totalBonus that was already swept to recoveryAddress, so the named whitehat is paid only the principal and loses the entire bonus pool.

Description

  • Normal behavior: finality is meant to latch on the first value movement — every claim/sweep sets claimsStarted = true, and flagOutcome may only re-flag (correct a mis-flagged outcome) while claimsStarted == false (DESIGN.md §4). For a good-faith CORRUPTED outcome the named whitehat is entitled to the entire pool = stake + bonus (DESIGN.md §12).

  • The issue: sweepUnclaimedBonus, in the riskWindowStart == 0 branch, sends the whole snapshotTotalBonus to recoveryAddress and zeroes totalBonus, but never sets claimsStarted. The re-flag window therefore stays open after real funds left. A later flagOutcome(CORRUPTED, goodFaith=true, attacker) recomputes bountyEntitlement from the now-zeroed totalBonus, so the whitehat's entitlement excludes the bonus that already left.

// src/ConfidencePool.sol — sweepUnclaimedBonus
uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
@> if (riskWindowStart != 0) { // riskWindowStart == 0 -> bonus is NOT reserved
reserved += snapshotTotalBonus - claimedBonus;
}
}
uint256 amount = freeBalance > reserved ? freeBalance - reserved : 0; // == full bonus B
...
@> totalBonus -= amount <= totalBonus ? amount : totalBonus; // totalBonus -> 0
@> // claimsStarted is NEVER set here -> flagOutcome re-flag window stays OPEN after funds left
// src/ConfidencePool.sol — flagOutcome (re-flag allowed because claimsStarted is still false)
@> snapshotTotalBonus = totalBonus; // == 0, bonus already swept to recoveryAddress
@> bountyEntitlement = willBeGoodFaithCorrupted ? snapshotTotalStaked + snapshotTotalBonus : 0; // == P + 0

Risk

Likelihood:

  • The registry reaches terminal CORRUPTED while no pool interaction ever observed an active-risk state, leaving riskWindowStart == 0 — a reachable state the design explicitly accounts for (DESIGN.md §5).

  • The moderator flags SURVIVED (the documented out-of-scope judgement, §8) and then reclassifies to good-faith CORRUPTED through the correction window §4 exists for, while the permissionless sweepUnclaimedBonus is called in between — the recoveryAddress sponsor is financially motivated to sweep, since it captures the bonus that would otherwise go to the whitehat.

Impact:

  • The named good-faith whitehat receives only the principal; the entire bonus pool is permanently diverted to recoveryAddress.

  • The loss equals the whole bonus — the sponsor's full incentive budget, which can be a multiple of the principal — so the good-faith reward mechanism guaranteed by §12 is destroyed.

Proof of Concept

Full test in test/unit/ConfidencePool.sweepReflagBonus.t.sol (3 tests pass; forge test --match-contract SweepReflagBonus -vv). Core exploit — principal P = 100, bonus B = 40, whitehat receives 100 instead of 140:

function test_exploit_sweepThenReflag_shortsWhitehatByBonus() public {
_fundAndCorruptWithoutRiskWindow(pool); // alice stakes 100, carol bonus 40, registry -> CORRUPTED, riskWindowStart == 0
// (1) Moderator flags SURVIVED (breach judged out-of-scope). claimsStarted stays false.
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.SURVIVED, false, address(0));
assertEq(pool.claimsStarted(), false);
// (2) Anyone sweeps the "unowed" bonus -> 40 leaves to recovery, totalBonus -> 0, claimsStarted STILL false.
vm.prank(bob);
pool.sweepUnclaimedBonus();
assertEq(token.balanceOf(recovery), BONUS);
assertEq(pool.totalBonus(), 0);
assertEq(pool.claimsStarted(), false);
// (3) Moderator corrects to good-faith CORRUPTED (breach was in-scope). Allowed: claimsStarted false.
vm.prank(moderator);
pool.flagOutcome(PoolStates.Outcome.CORRUPTED, true, attacker);
assertEq(pool.bountyEntitlement(), PRINCIPAL); // 100, NOT 140
// (4) Whitehat claims and receives only principal; the 40 bonus is stuck at recovery.
vm.prank(attacker);
pool.claimAttackerBounty();
assertEq(token.balanceOf(attacker), PRINCIPAL);
assertEq((PRINCIPAL + BONUS) - token.balanceOf(attacker), BONUS); // shorted by the full bonus
}

Recommended Mitigation

Reserve the bonus until finality is actually latched, regardless of riskWindowStart:

uint256 reserved;
if (totalEligibleStake != 0) {
reserved = totalEligibleStake;
- if (riskWindowStart != 0) {
- reserved += snapshotTotalBonus - claimedBonus;
- }
+ // Hold the bonus until a real claim latches finality (claimsStarted), so this sweep cannot
+ // fire inside the still-open flagOutcome re-flag window and divert the bonus a later
+ // good-faith CORRUPTED correction owes the whitehat.
+ if (!claimsStarted) {
+ reserved += snapshotTotalBonus - claimedBonus;
+ }
}

Alternative: forbid re-flagging into CORRUPTED once any bonus has been swept, or size bountyEntitlement in flagOutcome from stakeToken.balanceOf(address(this)) instead of the mutable-since-flag snapshotTotalBonus.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!