The Confidence Pool distributes bonus rewards using a k=2 time-weighted formula (T - entryTime)^2, which is intentionally designed to "crush" late entrants by yielding a near-zero score as the entry time approaches the terminal timestamp T (riskWindowEnd).
However, because a parabola curves upwards in both directions, if a benign upstream registry rewind occurs (e.g., from PRODUCTION back to UNDER_ATTACK), the terminal timestamp T is permanently latched while staking re-opens, allowing an attacker to deposit with an entryTime strictly greater than T, resulting in a massive, mathematically-inverted score inflation instead of a penalty.
Likelihood:
The upstream IAttackRegistry state machine transitions from a terminal state (like PRODUCTION) back to an active-risk state (like UNDER_ATTACK) due to a DAO correction, appeal, or delay.
The DESIGN.md explicitly anticipates and designs around "a benign upstream state rewind", validating this as an expected protocol environment state.
Impact:
Any staker who deposits after the rewind receives a massive exponential score that dilutes all earlier, legitimate stakers.
An attacker can permissionlessly siphon nearly 100% of the entire bonus pool, causing a massive loss of funds for early risk-takers.
A legitimate staker deposits 100 * ONE. The registry resolves, latching riskWindowEnd (T). A benign rewind occurs, re-opening staking. The attacker stakes 100 * ONE. Because entryTime > T, their time distance grows positively. At expiration, the attacker walks away with 90% of the bonus pool, leaving the legitimate staker with only 10%.
Clamp user metrics to T during score calculation. This ensures any stake deposited after riskWindowEnd automatically yields a penalty score of 0, maintaining the k=2 mathematical invariant.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.