The factory should create pools only with valid, protocol-compliant parameters so each new pool starts in a safe and usable state.
The issue is that ConfidencePoolFactory.sol can be abused or misused through weak input validation during createPool, which may deploy a pool with invalid configuration and break later deposits or settlement.
Likelihood:
The bug is reached on every pool creation, so malformed configuration can be introduced at the protocol entry point.
Factory functions are commonly public, making invalid inputs easy to submit during normal use or via attacker-crafted calls.
Impact:
A pool can be deployed in a broken state, causing failed deposits, failed settlement, or locked funds.
The issue affects all users of that pool and can repeat across multiple deployments.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.