setRecoveryAddress() is gated only by onlyOwner — there is no check on the current outcome state. This means the pool owner (sponsor) can change the destination for CORRUPTED sweeps even after flagOutcome has been called.
If the moderator flags CORRUPTED (bad-faith), all funds sweep to recoveryAddress via claimCorrupted(). The owner can front-run the sweep by changing recoveryAddress to an address they control, effectively stealing staker principal.
Likelihood:
This occurs when the pool owner acts maliciously after the moderator flags a CORRUPTED outcome. The owner always has the technical ability to call setRecoveryAddress between flagOutcome and the sweep.
The two-step ownership transfer (Ownable2Step) means only the confirmed owner can execute this, but there is no timelock.
Impact:
Staker principal + bonus is redirected to an attacker-controlled address instead of the legitimate recovery address.
Stakers have no on-chain recourse once the sweep executes.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.