ConfidencePool commits to a snapshot of the Agreement's scope when it is set. However, the Agreement's scope is mutable. When scope gets locked, it doesn't verify that the current scope is indeed a valid one.
The getScopeAccounts() function is presented as a "binding audit trail" but the agreement owner can make it inconsistent with the live Agreement without any pool interaction or event. This can happen through Agreement functions. The Agreement contract implements addAccounts/removeAccounts which are callable by the owner of the Agreement. This is the same owner of the ConfidencePool.
When the scope gets locked, it is not verified that the contract is in scope for the Agreement also:
It is possible that an contract gets removed from the Agreement's scope, but remains in the ConfidencePool's scope.
Likelihood:
Agreement owners/sponsors can always do this.
Impact:
The scope of the ConfidencePool mismatches the underlying Agreement's scope and is unclear to the attackers looking to claim the rewards.
When locking the scope, consider going through the accounts array and verifying them by calling the Agreement's isContractInScope(...) function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.