Normal behavior: A ConfidencePool lets stakers deposit funds and sponsors add a bonus; a moderator or expiry backstop determines the pool outcome and the contract distributes payouts to participants according to that outcome.
Specific issue: The settlement logic grants unilateral power to the moderator (a single privileged account) to finalize outcomes and trigger transfers without multisig, timelock, or strict recipient validation, allowing the moderator (or anyone controlling the moderator key) to cause immediate, irreversible redirection or seizure of pooled funds.
Likelihood:
The moderator key is exposed through common real-world scenarios such as a compromised developer/maintainer account, insecure key storage, or a malicious/compromised relayer, making moderator-controlled settlement likely to be abused in practice.
The project design intentionally permits moderator-triggered settlement without additional on-chain safeguards or multi-party confirmation, enabling straightforward exploitation once moderator access exists.
Impact:
Complete or partial loss of staker and sponsor funds across affected pools due to immediate on-chain transfers to attacker-controlled addresses.
Severe reputational damage and economic loss for the protocol and users; pooled bonus and staked capital can be drained with high-speed on-chain execution once the moderator key is misused.
Expected result: After the call, pool.settled() is true and contract balance is transferred (in whole or part) to attacker.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.