Stakers are allowed to call withdraw() to exit their entire principal while the registry is in the ATTACK_REQUESTED state:
Since ATTACK_REQUESTED is a public state visible on-chain immediately before the registry transitions to UNDER_ATTACK (active attack window), stakers can easily monitor the registry and front-run the transition to withdraw their funds.
Impact:
This undermines the utility of the confidence pool. If stakers can run away as soon as an attack is requested, the pool will hold zero capital by the time the attack actually happens, failing to provide the intended confidence backing for the agreement.
Disable withdrawals once the registry transitions to ATTACK_REQUESTED to ensure staker capital remains committed once an attack sequence is initiated:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.