The protocol intends the moderator to be the authoritative decision-maker for determining whether a corruption event was in scope (CORRUPTED) or out of scope (SURVIVED).
However, claimExpired() contains an automatic resolution path that permanently forces the pool into CORRUPTED whenever:
the agreement registry reports CORRUPTED,
riskWindowStart != 0, and
the moderator grace period has elapsed.
The design itself acknowledges:
"Scope-blind by design."
This means the automatic resolver does not evaluate whether the actual exploit was inside the committed account scope of the pool.
Instead, it relies solely on the registry-level corruption state.
Consequently, once the moderator becomes unavailable past the grace period, any user can permanently finalize the pool as CORRUPTED, even in situations where the moderator would have classified the incident as SURVIVED because the exploit occurred outside the pool's committed scope.
Likelihood:
Moderator inactivity beyond MODERATOR_CORRUPTED_GRACE.
Agreement-level corruption where the exploit is outside this pool's committed scope.
Impact:
Honest stakers lose their expected SURVIVED distribution.
Entire pool transitions to CORRUPTED settlement despite no in-scope compromise.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.